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ABSTRACT 


This  thesis  investigates  the  requirements  for  establishing 
security  criteria  in  designing  and  developing  a  local  area 
network  (LAN)  for  an  aviation  squadron.  In  particular,  it 
concentrates  on  the  security  problems  and  control  issues  in 
the  design  of  a  LAN.  A  survey  of  the  security  literature  on 
computer  security  was  conducted  to  develop  a  model  for 
identifying  security  problems  in  a  local  area  network  and 
devise  control  solutions.  A  case  study  was  written  based  on 
the  literature  review  and  previous  experience  in  the  aviation 
community.  Although  many  controls  solutions  are  discussed, 
adequate  planning,  common  sense  and  proper  user  training  all 
play  an  integral  part  in  developing  an  atmosphere  of  security 
awareness  in  networks. 
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I. 


INTRODUCTION 


A .  BACKGROUND 

The  1990 's  will  see  information  processed  faster,  cheaper 
and  a  significant  increase  in  networking  of  computers. 
Indeed,  local  area  networks  (LANs)  are  becoming  more  popular 
with  the  proliferation  of  microcomputers  in  the  work  place. 
The  reason  for  the  local  area  network  (LAN)  popularity  is 
described  by  Chorafas'  statement  "that  the  essence  of  the 
personal  computer  (PC)  and  LAN  revolution  is  individual  access 
at  an  affordable  price."  [Ref.  l:p.  9]  As  LANs  have  expanded 
in  the  work  place,  problems  have  developed  which  should  have 
been  anticipated  in  the  design  and  planning  phase  of  the 
project . 

In  this  age  of  information  technology,  computer  security 
is  a  basic  concern  in  the  Department  of  Defense  (DoD)  and  the 
Department  of  the  Navy  (DoN) .  Microcomputer  security  is  a 
relatively  new  arena  that  involves  many  of  the  old  mainframe 
security  issues  plus  new  problem  areas  in  microcomputers  and 
networks . 

Two  important  issues  to  consider  in  the  design  of  a  local 
area  network  (LAN)  are  security  and  control.  Security  deals 
with  more  than  the  protection  of  classified  information  in  a 
LAN.  Security  topics  for  any  compute-'  rystem  include  such 
areas  as  service  denial,  damage,  unintentional  harm  and 
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viruses.  Security  and  control  measures  are  equally  important 
in  an  unclassified  environment  when  dealing  with  sensitive  or 
personal  information.  These  areas  will  be  discussed  in  the 
thesis . 

The  addition  of  more  microcomputers  can  create  highly 
dispersed,  redundant  databases  and  possibly  inefficient  use  of 
computer  hardware. 

In  an  atmosphere  of  budget  cuts  and  monetary  restraint, 
the  Navy  should  start  to  focus  on  establishing  local  area 
networks  to  share  software,  hardware  and  information.  With 
the  expansion  of  microcomputers  in  Navy  aviation  squadrons,  it 
is  feasible  to  buy  local  area  networks  and  resolve  this 
problem. 

B.  OBJECTIVES 

The  objective  of  this  thesis  is  to  identify  security 
problems  and  control  solutions  in  the  design  of  local  area 
networks.  After  identifying  the  issues  and  the  areas  to 
examine,  a  case  study  is  presented  to  demonstrate  the 
security  concerns  in  a  network  environment.  It  can  be  used  to 
raise  security  awareness  of  officers  in  charge  of  implementing 
LANs  at  Navy  aviation  squadrons. 

The  second  objective  is  to  outline  security  and  control 
issues  and  their  importance  in  LANs  and  microcomputers. 
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C.  THE  RESEARCH  QUESTION 

The  research  question  is  "What  are  the  security  problems 
and  control  solutions  in  a  local  area  network  design  for  an 
aviation  squadron?"  These  issues  should  be  addressed  in  the 
planning  and  design  phase  to  avoid  unnecessary  cost  for 
additional  software  and  future  expansion. 

D.  SCOPE  AND  LIMITATIONS 

The  main  thrust  of  the  thesis  concentrates  on  the  security 
and  control  issues  in  the  design  of  a  local  area  network  in  an 
unclassified  environment.  The  issues  addressed  are 
appropriate  for  all  aviation  squadrons. 

This  thesis  does  not  suggest  a  particular  local  area 
network  architecture  for  a  squadron  or  develop  a  cost\benefit 
analysis  of  a  local  area  network.  Both  of  these  topics  are 
suggested  follow-on  topics  to  this  thesis. 

E.  RESEARCH  METHODOLOGY 

A  literature  review  was  conducted  to  compile  all  the 
security  and  control  issues  in  a  LAN  environment.  Department 
of  Defense  (DoD)  and  Department  of  the  Navy  (DoN)  instructions 
on  computer  security  and  networks  were  included  in  the  review. 

A  review  of  all  theses  completed  on  LANs  at  the  Naval 
Postgraduate  School  was  completed  to  examine  the  depth  that 
previous  theses  researched  into  the  security  and  control 
issues.  Omission  of  security  issues  in  the  s-utem  design  was 
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a  primary  limitation  on  all  previous  local  area  network 
theses . 

A  survey  of  the  security  literature  was  conducted  to 
develop  a  model  for  identifying  security  problems  in  a  local 
area  network  and  devise  control  solutions.  A  case  study  was 
written  from  the  literature  review  material. 

F.  ORGANIZATION  OF  THE  STUDY 

A  case  study  is  provided  in  Chapter  II  to  help  understand 
security  and  control  issues  in  a  patrol  aviation  squadron 
before  purchasing  a  network.  Chapter  III  is  a  general 
overview  of  LAN  characteristics.  Chapter  IV  presents 
classifications  of  security  problems  in  a  local  area  network. 
The  security  issues  include  hardware  security,  software 
security,  physical  security,  communication  security  and  human 
related  security.  Chapter  V  proposes  a  taxonomy  of  control 
solutions  in  local  area  networks.  The  control  issues  include 
but  are  not  limited  to  access  controls,  data  controls, 
communication  controls  and  management  controls.  Chapter  VI 
summarizes  the  findings  of  this  study  and  formulates 
recommendations  for  future  research. 


II .  A  CASE  STUDY  APPROACH  TO  ADDRESS 
SECURITY  PROBLEMS  IN  LANS 

A.  INTRODUCTION 

The  case  study  is  designed  for  classroom/workshop 
discussion  on  security  and  control  issues  in  computer  systems 
and  local  area  networks.  The  case  study  should  assist 
students  examine  different  problems  in  security  when  designing 
a  local  area  network. 

The  case  has  the  following  educational  objectives: 

To  identify  the  security  issues  involved  in  a  local  area 
network. 

To  develop  control  and  management  solutions  to  resolve 
the  security  problems. 

To  enable  the  student  to  gain  an  appreciation  of  the 
security  issues  in  an  unclassified  network  environment. 

B.  A  CASE  STUDY  FOR  A  NAVY  AVIATION  SQUADRON 

Originally  Patrol  Squadron  31  was  chosen  as  the  squadron 
upon  which  to  base  the  case.  This  determination  was  made 
because  of  the  size  of  the  command  and  the  number  of 
microcomputers  ( Zenith-248 ' s)  in  the  squadron.  After  further 
study  it  was  determined  tc  discuss  a  generic  squadron  case 
study  instead  of  a  specific  squadron.  The  typical  squadron 
has  had  an  inventory  consisting  of  between  four  to  six 
personal  computers  (PCs).  An  International  Data  Corporation 
(IDC)  report  released  in  September  1989  stated  that  the 
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average  number  of  microcomputers  or  nodes  in  a  typical  network 
was  9.51  in  1989.  IDC  forecast  that  the  average  node  per  LAN 
will  be  14.35  by  the  end  of  1993.  [Ref.  2:p.  41]  Figure  2.1 
depicts  the  average  nodes  per  LAN  from  1986  to  1989. 


Average  Nodes  Per  LAN 


10  ~r  9.51 


I  I  >  I 

1986  1987  1988  1989 


.‘Source;  [Ref.  2:p.  42] 

Figure  2.1  Average  Nodes  Per  LAN 


This  case  does  not  reflect  the  current  or  past  environment 
in  any  patrol  aviation  squadron.  Ninety  percent  of  the 
iti  formation  discussed  in  the  case  study  is  from  the  literature 
teviev.'.  I’crsonal  experience  from  two  patrol  aviation  commands 
and  ol-'se  rvat  i  ons  a.s  command  inspection  coordinator  on  an 
or,  I'soTs  staff  add  some  reality  to  the  case. 
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C.  A  CASE  STUDY:  LAN  PATROL 

As  the  fog  began  to  rise  over  the  runway,  the  morning 
drizzle  at  Naval  Air  Station  (NAS)  Whidbey  Island,  Washington 
started  to  subside.  NAS  Whidbey  Island  is  the  home  port  of 
Patrol  Squadron  FORTY-TWO  (VP-42) . 

VP-42  is  one  of  five  operational  fleet  patrol  aviation  (P- 
3C)  squadrons.  The  primary  mission  of  patrol  aviation  is  to 
detect  and  track  enemy  submarines.  The  squadron  is  composed 
of  approximately  40  officers  and  200  enlisted  personnel. 

The  Executive  Officer  (XO)  of  VP-42  is  Commander  (CDR) 
"Buss"  Ether.  CDR  Ether  just  completed  reading  an  article  in 
the  local  newspaper  on  the  effectiveness  and  capabilities  of 
local  area  networks  (LANs) .  After  writing  the  advantages  and 
disadvantages  of  a  LAN  on  a  note  pad  (Table  2.1)  ,  the  XO 
decided  to  talk  to  the  Commanding  Officer  (CO) .  The  XO  walked 
into  the  Commanding  Officer's  office  to  explain  the  benefits 
of  a  local  area  network  (LAN) . 

The  Commanding  Officer  is  CDR  "Bull"  Zenith.  A  salty 
Naval  Flight  Officer  (NFO)  who  has  spent  more  time  tracking 
submarines  while  in  the  head  (bathroom)  than  most  Lieutenants 
have  tracking  submarines  for  their  career. 

After  knocking  on  the  CO's  door,  the  XO  stepped  into  the 
office.  "CO,  I  think  it  is  time  for  this  squadron  to  acquire 
a  local  area  network." 

The  CO  stated,  "Well  XO,  what  are  the  advantages  of  a 
local  area  network?  How  much  will  it  cost?" 

The  XO  paused  and  remembered  from  the  article  a  few 
advantages.  "CO,  the  first  advantage  is  that  we  will  be  able 
to  send  electronic  mail  (E-mail)  to  all  the  departments. 
Another  advantage  is  a  centralized  database  and  sharing  of 
computer  resources  like  the  new  laser  printer.  I  have  listed 
further  advantages  and  some  disadvantages  of  a  LAN  for  you  to 
examine . " 
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TABLE  2.1 


ADVANTAGES  AND  DISADVANTAGES  OF  A  LAN 


Advantages 

1.  Electronic  mail  will  save  time  on  memo's  and  save 
individuals  from  searching  the  spaces  for  someone. 

2.  Resource  sharing  of  advance  equipment. 

3.  Elimination  of  redundant  databases. 

4.  Access  to  other  networks. 

Disadvantages 

1.  Games  being  played  on  the  network. 

2.  Possibility  of  viruses. 

3.  Expense  of  maintaining  network. 

4.  More  computer  training  required. 

5.  Someone  to  manage. 

6.  The  current  system  does  not  require  additional 
funds . 


"Thanks  XO."  As  the  CO  turned  to  his  organizational 
chart  on  the  wall  (Figure  2.2)  he  stated,  "OK  XO,  let's  assign 
one  of  our  new  Lieutenant  Commanders  to  review  the  security 
issues  and  report  his  findings." 

XO  stated,  "I  will  put  Lieutenant  Commander  (LCDR)  Token 
in  charge . " 

LCDR  Token  stepped  out  of  his  car  and  headed  towards  the 
Executive  Officer's  office  to  discuss  his  first  job  in  the 
squadron.  As  LCDR  "Ringer"  Token  stepped  into  the  XO '  s  office 
he  wondered  what  job  he  was  obtaining.  "Good  morning,  XO." 
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Figure  2.2  Unit  Organization 


"Good  morning,  'Ringer'.  Please  sit  down  so  I  can  discuss 
your  new  job.  You  are  going  to  be  the  new  Administration 
Officer  and  the  CO  has  tasked  you  with  a  small  project.  The 
command  is  interested  in  buying  a  local  area  network  (LAN) . 
I  want  you  to  look  into  the  security  problems  involved  in  a 
LAN.  I  believe  that  security  in  this  type  environment  is 
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small  so  the  project  should  be  done  quickly.  Do  some  research 
and  draft  a  response  to  the  CO." 

"Yes,  Sir.  Although  I  am  a  PC  novice,  this  should  be  an 
interesting  task." 

LCDR  Token  started  his  research  by  finding  an  inventory  of 


the  personal 

locations  are 

computers  in  the  command. 

summarized  in  Table  2.2. 

TABLE  2.2 

COMPUTER  RESOURCES  AT  VP- 

The  computers  and 

42 

COMPUTER 

DEPARTMENT 

NUMBER 

USE 

Unisys-386 

Administration 

2 

word  processing, 
graphics 

Unisys-386 

Operations 

1 

word  processing, 
spreadsheet 

Unisys-386 

Maintenance 

2 

word  processing, 
spreadsheet , 
database 

Unisys-386 

Training 

1 

word  processing 

Zenith-248 

Safety 

1 

word  processing 

Zenith-248 

Tactics 

1 

word  processing 

LCDR  Token  reviewed  the  Automatic  Data  Processing  (ADP) 
Security  Manual  and  pertinent  instructions  on  local  area 
networks.  He  researched  various  computer  magazines  on  local 
area  networks  including  LAN  Magazine  and  felt  a  little  more 
comfortable  about  the  security  issues.  Sitting  at  a  computer 
terminal,  Ringer  attempted  to  get  his  ideas  in  order.  First, 
he  had  to  find  his  diskettes.  He  always  had  a  habit  of 
leaving  the  diskettes  by  the  computer  and  usually  unlabeled. 
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since  the  computer  was  already  on,  he  wasted  no  time  typing  in 
his  ideas. 

LCDR  Token's  assistant  for  the  project  was  LT  Joe  Hacker. 
Joe  is  the  computer  wizard  of  the  squadron  and  usually  spends 
more  time  trying  to  sell  computers  to  his  squadron  mates  than 
actually  doing  his  job.  Joe  tells  LCDR  Token  not  to  worry 
about  purchasing  a  virus  checker  because  he  copied  a  program 
off  a  reliable  public  built  in  board.  Joe  is  excited  about 
the  new  LAN  and  can  not  wait  to  copy  the  latest  version  of 
WordPerfect  and  the  latest  spreadsheet  software. 

At  the  weekly  Tuesday  department  head  meeting,  the  CO 
asked  for  suggestion  on  security  measures  to  be  considered  for 
a  local  area  network.  Ideas  on  the  subject  should  be  given  to 
LCDR  Token  by  the  following  Friday. 

CDR  "Smithy"  Corona  is  the  LDO  Maintenance  Officer.  "We 
don't  need  a  LAN.  We  only  use  the  computers  for  word 
processing.  Sounds  like  this  could  be  an  expense  adventure. 
I  would  rather  have  a  couple  of  typewriters  and  a  good 
typist . " 

After  the  meeting,  "Ringer"  needed  a  breath  of  fresh 

air. 

As  "Ringer"  was  walking  back  to  his  office,  he  was  stopped 
by  LCDR  Bill  Compaq. 

Bill:  "Ringer,  can  I  talk  to  you  for  a  few  minutes  in  my 

office. " 

Ringer:  "Sure." 

Bill:  "Ringer,  I  heard  rumors  that  the  local  area  network 

is  going  to  have  many  security  features  and 
controls.  You  realize  if  you  have  too  many  controls 
nobody  will  use  the  system." 

Ringer:  "Bill,  we  are  just  in  the  design  phase.  I  have  to 
make  a  recommendation  on  what  type  of  security  the 
LAN  should  have  to  the  CO.  I  believe  that  u-~ers 
should  use  the  PC  lock  on  the  front  of  the  computer 
and  a  password  to  enter  the  LAN." 
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Bill: 


Ringer: 

Bill: 

Ringer: 

Bill: 

Ringer: 

Bill: 

Ringer: 

Bill: 

Ringer: 

Bill: 

Ringer: 


"People  don't  use  that  key.  Most  people  keep  the 
key  in  the  computer  or  hide  the  key  so  they  don't 
lose  it.  Additionally,  I  think  using  passwords  on 
an  unclassified  LAN  is  a  bad  idea.  I  have  enough 
items  to  memorize  now." 

"Don't  worry  about  the  password.  The  password  will 
be  easy  to  remember  and  each  department  will  have 
the  same  password. 

"Passwords  will  not  work.  The  user  will  write  the 
password  down  and  probably  post  it  on  the  computer." 

"Bill,  I  know  you  are  not  an  expert  on  local  area 
networks.  I  believe  the  unclassified  network  has 
two  basic  threats.  The  first  threat  is  viruses  that 
can  cause  denial  of  service." 

"Ringer,  viruses  are  not  a  threat,  that  is  all  media 
hype.  I  can  not  remember  a  single  virus  that  has 
infected  our  stand  alone  computers." 

"Bill,  viruses  can  do  damage.  The  LAN  has  to  have 
an  anti-virus  program  for  detection  of  viruses. 
This  program  will  be  on  the  network  so  users  can 
test  for  viruses.  Additionally,  the  access  to 
computer  bulletin  boards  should  be  restricted." 

"What,  I  think  you  are  going  too  far.  If  I  am  not 
busy  at  work,  I  want  to  use  the  bulletin  boards. 
Bulletin  boards  have  excellent  anti-virus  software 
that  we  can  use  for  free.  The  bulletin  boards  have 
graphic  programs  that  can  be  installed  on  the 
network.  Also,  the  computer  bulletin  boards  are 
local  calls." 

"First,  bulletin  boards  should  not  be  used  for 
playing  at  work.  Second,  some  bulletin  boards  are 
toll  calls." 

"I  don't  agree  with  you.  What  is  the  second 
threat?" 

"I  believe  the  second  threat  is  the  user." 

"The  user.  How  can  the  user  be  a  threat?" 

"I  read  an  article  that  stated  that  more  data  is 
lost  by  non-malicious  destruction  of  data  by  the 
user  than  through  planned  intrusion." 
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Bill:  "Ringer,  I  disagree.  The  user  is  your  greatest 

asset . " 

Ringer:  "True,  but  the  user  can  also  be  the  greatest 
liability.  People  are  not  going  to  admit  that  they 
made  a  mistake.  A  backup  system  should  be 
established  to  recover  lost  data.  Also,  training  of 
the  user  is  an  important  issue.  The  user  can  be  the 
greatest  asset  if  he/she  is  properly  educated." 

Bill:  "Well,  you  may  be  right  about  the  user.  What  type 

of  electrical  protection  will  the  system  have?" 

Ringer:  "I  believe  surge  protection  should  be  adequate." 

Bill:  "Ringer,  you  sound  like  an  expert  on  these  security 

measures.  I  vote  for  you  as  the  LAN  manager." 

Ringer:  "Bill,  this  is  a  small  network  of  eight  computers. 
A  LAN  manager  is  not  required." 

Bill:  "Ringer,  thanks  for  your  time.  I  just  want  to 

repeat  that  controls  are  unnecessary  in  an 
unclassified  environment.  I  believe  the  more 
controls  imposed  on  the  user  the  less  productive  the 
users  will  be." 

Ringer:  "Bill,  thanks  for  your  advice.  I  will  do  some  more 
research  on  the  subject." 

The  following  week  Token  received  the  responses  from  all 
the  department  heads.  Most  of  the  department  heads  agreed  on 
some  restriction  on  access  to  the  network.  All  the 
departments  wanted  access  to  the  network  from  their  house. 

The  department  heads  had  three  concerns  about  threats  to 
the  system.  The  major  threat  was  denial  of  service  if  the 
system  went  down.  The  integrity  of  the  data  was  the  second 
threat.  Finally,  the  confidentiality  of  sensitive  data  was 
the  third  threat. 

Since  the  Department  Heads  had  various  ideas,  "Ringer" 
decided  to  have  a  discussion  meeting  on  LAN  security.  He 
invited  the  Operations  Officer,  Training  Officer  and  the 
Maintenance  Officer. 
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Operations  Officer:  "Ringer,  I  think  we  all  agree  that  a 
backup  system  is  required  for  a  LAN.  Of  course, 
backups  are  essential  for  natural  disasters." 

Training  Officer:  "I  agree.  Also,  we  should  have  audit 
trails  to  detect  and  determine  problems." 

Ringer:  OK  guys.  Who  has  the  time  to  read  all  the 
information  from  the  audit  reports." 

Training  Officer:  "I  believe  the  Administrative  Officer  has 
plenty  of  time." 

Ringer:  "Thanks,  but  let's  get  back  to  the  issues." 

Operations  Officer:  "I  believe  the  LAN  should  be  centrally 
located.  A  cipher  lock  on  the  door  will  eliminate 
many  of  our  physical  security  problems.  The  central 
location  will  make  environmental  protection  items 
such  as  no  eating  or  smoking  easier  to  enforce." 

CDR  Corona:  "I  disagree.  A  centrally  located  LAN  is  not 
convenient  or  practical.  The  hangar  is  three 
football  fields  long.  I  will  have  no  one  to  answer 
the  phones.  The  LAN  should  be  in  the  work  spaces." 

Ringer:  "Well,  I  guess  the  CO  will  make  the  ultimate 
decision  on  the  location  of  the  LAN.  Is  the  network 
cabling  an  issue?  I  read  fiber  optics  is  superior 
protection  against  tapping  into  the  network." 

CDR  Corona:  "Ringer,  fiber  optics  may  be  out  of  our  price 
range.  I  don't  believe  a  threat  is  an  intruder 
tapping  into  cable.  The  intruder  probably  could 
learn  more  about  our  operation  from  the  local 
newspaper . " 

Ringer:  "Well,  if  tapping  into  our  cable  is  not  a  major 
consideration  for  cabling,  what  is? 

CDR  Corona:  "I  am  not  an  expert  on  cabling,  but  I  would  bet 
shielding  against  noise  should  be  a  consideration." 

Training  Officer:  "I  agree.  Noise  immunity  may  play  a 
large  factor  in  a  noisy  hangar  environment.  I  bet 
an  electric  pencil  sharpener  can  play  havoc  on  a 
unshielded  cable  network." 

Operations  Officer:  "I  guess  the  big  question  is  whether  we 
should  have  unlimited  access  to  the  network.  I 
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believe  unlimited  access  in  this  unclassified 
environment  is  justified." 

CDR  Corona:  "I  disagree  with  unlimited  access.  We  need 
some  type  of  restrictions  on  files  and  directories. 
Everyone  does  not  need  access  to  all  files.  Fitness 
reports  and  enlisted  evaluation  can  contain 
sensitive  information.  Additionally,  users  may  get 
lazy  and  place  classified  information  on  the 
network . " 

Ringer:  "I  agree  with  the  CDR  Corona.  Unlimited  access  is 
asking  for  security  problems.  Privacy  Act 

information  such  as  social  security  number,  medical 
history  and  home  address  must  be  protected. 
Passwords  may  be  required." 

Training  Officer:  "Passwords  are  necessary.  I  think 
another  solution  may  be  to  limit  copying  of 
diskettes  by  using  diskless  PCs." 

CDR  Corona:  "First,  we  should  connect  the  computers  in  the 
inventory  and  monitor  the  capability  of  the  LAN. 
Second,  I  want  to  be  able  to  use  the  computer  when 
the  network  is  down.  I  don't  believe  diskless  PCs 
have  that  capability." 

Ringer:  "The  last  item  to  discuss  is  computer  training. 

Operations  Officer:  "Our  personnel  are  adequately  trained. 

I  think  a  basic  introduction  into  LAN  operation  and 
security  should  be  adequate.  Experience  is  the  best 
training . " 

CDR  Corona:  "I  want  to  emphasize  that  we  are  not  dealing 
with  sophisticated  compu^-er  hackers  in  our 
organization.  We  are  deal-  with  users  who  make 
honest  mistakes.  They  t nould  be  adequately 
trained . " 

Operations  Officer:  "I  think  one  area  we  should  emphasize 
is  user  accountability.  Everyone  is  accountable  for 
their  actions  and  this  should  be  incorporated  into 
security  awareness  training. 

Ringer:  "I  would  like  to  thank  every  one  for  coming  today 
but  our  time  is  up.  Thanks  again." 

After  compiling  all  the  data,  "Ringer"  decided  it  was  time 
to  eat.  As  "Ringer"  was  walking  to  lunch,  he  was  stopped  by 
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Lieutenant  (LT)  Bob  Smith.  LT  Smith  is  the  Communications 
Officer.  "Ringer,  when  the  LAN  is  installed  I  will  order  a 
Tempest  check  on  the  network.  If  the  system  passes  Tempest, 
then  we  can  place  classified  information  on  the  network." 

"Bob,  this  is  an  unclassified  network.  No  classified 
information  will  be  allowed." 

"OK  'Ringer',  I  am  just  planning." 

As  "Ringer"  started  to  write  his  proposal  he  had  a 
dilemma.  He  already  knew  that  the  XO  felt  that  the  security 
issues  were  small  items.  He  also  knew  that  he  would  be 
working  closely  with  the  XO  as  the  Administration  Officer.  He 
believed  that  definite  areas  needed  addressing  and  decided  to 
make  the  following  recommendations: 

Recover  system  using  backups  reguired. 

Audit  trails  unnecessary. 

Anti-virus  software  on  the  network. 

Modem  capability  required.  Therefore,  remote  logins 
authorized  with  a  call  back  feature  from  the 
communication  server. 

Train  users  on  the  fundamentals  of  the  LAN. 

Minimal  controls  to  increase  productivity. 

Software  purchased  to  blank  screen  when  no  key  strokes  in 
ten  minutes. 

A  risk  assessment  is  not  required  since  we  had  one  three 
years  ago  and  the  assessment  is  good  for  five  years. 

Limited  access  to  the  network  with  passwords  required. 

As  "Ringer"  was  leaving  the  hangar,  the  clouds  were 
returning  for  more  rain.  He  wondered  how  secure  a  network 
should  be  and  if  he  missed  any  of  the  problems.  He  knew  time 
would  tell. 


16 


D.  TEACHING  GUIDE 


1 .  Overview 

The  case  study  is  designed  to  examine  security  issues 
in  a  local  area  network  (LAN) .  The  case  was  developed  so  the 
students  can  discuss  the  problems  and  various  control 
solutions.  The  student  should  be  able  to  link  the  security 
problems  with  control  measures  after  studying  the  case.  This 
case  assumes  the  student  has  basic  security  awareness. 

2 .  Session  Structure 

The  focus  should  be  on  security  concerns  when 
designing  a  LAN.  What  are  the  major  security  problems?  How 
can  they  be  resolved?  Are  hardware  and  software  controls  the 
only  answer  to  a  true  secure  system?  Additional  topics  area 
discussed  in  the  case  were  resistance  to  change,  controls 
versus  productivity,  and  perceptions  that  security  is 
unimportant  in  a  unclassified  environment. 

3 .  Class  Discussion 

The  case  was  written  in  such  a  way  that  the  officers 

in  the  case  identified  only  partial  solutions.  The  students 

can  list  the  problems  discussed  and  examine  how  each  problem 

was  handled.  The  following  guestions  could  also  help  direct 

the  students  to  critical  security  issues. 

What  are  the  security  issues  in  this  case? 

How  validate  are  "Ringer's"  recommendations? 

How  important  are  the  roles  of  the  LAN's  users  in  the 
successful  implementation  of  a  security  program? 
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All  the  technical  and  managerial  elements  necessary  to 
address  security  are  developed  in  the  remaining  chapters  of 
this  thesis. 
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Ill .  BASIC  LAN  TERMINOLOGY 


A.  INTRODUCTION 

Before  examining  the  security  issues  in  a  local  area 
network,  a  brief  discussion  of  LANs  is  presented  for 
individuals  not  familiar  with  LANs.  This  chapter  is  a  general 
overview  of  LAN  characteristics.  This  is  not  a  thorough 
description  of  LANs  and  can  be  skipped  with  no  loss  in 
continuity.  For  more  technical  information  on  local  area 
networks  the  following  books  could  be  recommended:  Local  Area 
Networks:  The  Second  Generation  by  Thomas  W.  Madron  and 
Com, outer  Networks.  2nd  ed.  ,  by  Andrew  S.  Tanenbaum. 

The  question  is  "What  is  a  local  area  network?" 

A  local  area  network  consists  of  a  set  of  nodes  which 
are  interconnected  by  a  set  of  links.  The  nodes  may  be 
term.inals,  microcom.puters ,  minicomputers,  mainframes, 
printers,  hard  disks  or  workstations.  The  links  may  be 
coaxial  cable,  twisted  pair  wires  or  fiber  optic  cable. 
[Ref.  3:p.  1] 

In  simple  terms,  a  LAN  connects  computers  together  to 
share  resources  of  information,  hardware  and  has  the  ability 
to  send  messages  within  the  network. 

LANs  usually  have  the  following  three  characteristics 
[Ref.  4:p.  117]: 

A  diameter  of  not  more  than  a  few  kilometers.  The  LAN  is 
usually  networked  in  the  same  building  or  adjacent 
buildings . 

A  total  data  rate  of  at  least  several  million  bits  per 
second  (MBPS ) . 
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Ownership  by  a  single  organization. 

Advantages  of  a  LAN  art  [Ref  5:pp.  169-175]: 

LANs  facilitate  resource  sharing  of  data,  processing 
capabilities,  data  storage,  communication  lines,  and 
output  devices  such  as  laser  printers. 

Devices  may  be  added  to  the  network  as  the  need  arises. 
This  is  called  modularity  and  provides  for  an  orderly 
growth  of  services. 

LAN  has  electronic  mail  capability  which  allows  messages 
to  be  sent  from  one  linked  computer  to  another. 

B.  LAN  ARCHITECTURE 

There  are  basically  two  logical  architectures  "that  are 
supported  on  PC  LANs  today — peer-to-peer  and  client/server 
architectures."  [Ref.  6:p.  51] 

The  peer-to-peer  architecture  "requires  no  dedicated  file 
server  because  any  node  on  the  network  may  selectively  share 
its  local  hard  disk  with  other  nodes  on  the  network."  [Ref. 
6:p.  51]  Since  no  additional  hardware  is  required  and  the 
cost-per-node  is  usually  lower,  the  peer-to-peer  is  a  favorite 
choice  of  smaller  organizations.  The  problem  with  peer-to- 
peer  is  a  lack  of  a  centralized  database  and  lower 
performance.  [Ref.  6:p.  51] 

In  the  client/server  architecture,  services  are  provided 
by  a  file  and  a  print  server.  The  file  and  print  server  "do 
not  provide  any  direct  user  application  support,  but  provide 
an  optimized  design  for  file  level  I/O  requests  and  spooled 
print  services."  [Ref.  6:p.  52] 
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The  higher  cost  of  a  client/server  architecture  is  "offset 
by  higher  performance  and  more  sophisticated  security  provided 
by  the  software."  [Ref.  6:p.  52]  The  advantages  are  the 
client/server  provides  better  control  of  user  access  and 
backup  operations  than  the  peer-to-peer  architecture. 

There  are  three  types  of  servers  which  are  file  servers, 
print  servers  and  communication  servers.  The  server  "contains 
the  hardware  and  at  least  part  of  the  software,  necessary  to 
produce  the  service."  [Ref.  7:p.  15] 

Servers  are  usually  located  remote  from  the  user  and  are 
"designed  for  multi-user  access  to  expensive,  complicated,  or 
infrequently  used  services."  [Ref.  7:p.  16] 

A  communication  server  "is  a  separate  machine  on  the  LAN 
that  allows  network  users  to  con’^e.-.t  to  the  outside  world 
through  one  modem."  [Ref.  8:p.  105]  Communication  servers 
are  usually  called  eiuher  g-  teways  or  bridges.  Gateways 
contain  the  "hardware  and  software  necessary  for  two 
technologically  different  networks  to  communicate  with  one 
another."  [Ref.  7:p.  18]  For  example,  an  ethernet  and  a 
token  ring  are  connected  via  a  gateway  [Ref.  7;p.  18]. 
Ethernets  and  token  ring  terminology  are  discussed  in  Section 
D  of  this  chapter. 

Bridges  are  used  to  link  two  technologically  similar 
networks.  Combining  two  Ethernets  would  use  a  bridge.  [Ref. 


C.  TOPOLOGY  AND  ACCESS  PROCEDURES 

Topology  is  the  network  cont iguration.  The  topology  is 
described  by  Charles  P.  Pfleeger: 

A  single  computing  system  in  a  network  is  often  called 
a  node,  and  its  processor  (computer)  is  called  a  host.  A 
connection  between  two  hosts  is  known  as  a  link,  and  the 
pattern  of  links  in  a  network  is  called  the  topology  of  the 
network.  [Ref.  9:p.  368] 

There  are  basically  six  types  of  network  configurations. 
They  are: 

Point-to-point. 

-  Multipoint. 

Star. 

Ring. 

Bus . 

Hierarchical. 

A  point-to-point  is  a  simple  network.  It  consists  of  a 
computer  connected  to  one  terminal.  Multipoint  is  an 
extension  of  point-to-point  in  that  instead  of  one  remote 
terminal  "there  are  multiple  remote  terminals."  [Ref.  7:p. 
11]  A  local  network  will  normally  have  intelligence  at  all  or 
most  points  on  the  system  without  the  necessity  for  any 
central  system.  [Ref.  7;p.  13] 

The  star  topology  uses  a  centralized  computer.  All  nodes 
communicate  through  the  central  computer. 

The  ring  topology  "is  organized  by  connecting  network 
nodes  in  a  closed  loop  with  each  node  linked  to  those  adjacent 
on  the  right  and  left."  [Ref.  7:p.  13] 
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The  bus  topology  connects  all  the  computers  to  one  line  or 
backbone.  All  the  computers  on  the  bus  topology  listen  for  a 
message  for  them. 

The  hierarchical  network  is  a  "fully  distributed  network 
in  which  computers  feed  into  con.puters  that  in  turn  feed  into 
computers."  [Ref.  7:p.  13] 

Figure  3.1  depicts  the  network  topologies.  The  three  most 
common  topologies  are  the  star,  ring  and  bus. 


Point-tO'PoinI  Multipoint 


Bus  Structure 


Source:  [Ref.  7:p.  15] 

Figure  3.1  Network  Topologies 
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The  topologies  "may  be  grouped  according  to  the  way  in 
which  signals  are  passed  within  them."  [Ref.  5:p.  182] 
Broadcast  and  sequential  are  techniques  for  propagating 
signals  that  contain  information.  [Ref.  5;p.  182] 

In  broadcast,  signals  "are  sent  simultaneously  to  all 
nodes  on  the  network."  [Ref.  5:p.  182]  Because  each  node  has 
the  possibility  to  communicate  simultaneously,  each  node  is  in 
contention  for  the  line. 

The  bus  and  star  topologies  support  the  broadcast  mode. 
The  main  advantages  are  responsiveness  and  speed  in  a  moderate 
size  network.  The  disadvantages  of  the  broadcast  mode  include 
extra  expenses  of  detection  and  correction  of  collisions  on 
the  contention  line  and  high  installation  expense.  [Ref.  5:p. 
182] 

The  sequential  mode  is  used  for  point-to-point  or  ring 
topologies  to  pass  data  messages.  Control  is  passed  from  one 
node  to  another  to  send  or  receive  messages. 

Network  topology  and  access  procedures  are  closely 
related.  Access  procedures  are  the  rules  for  the  nodes  or 
microcomputers  to  communicate  with  each  other  on  the  network. 
These  access  procedures  include  [Ref.  5:p.  184]: 

Carrier-sense  multiple-access  with  collision  detection 

(CSMA/CD) . 

Token  ring. 

Token  bus. 
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CSMA/CD  is  a  collision-handling  scheme  that  avoids  the 
possibility  of  two  nodes  communicating  at  the  same  time  on  the 
network.  CSMA/CD  is  used  in  broadcast  topologies  and  has  good 
performance  at  low  to  medium  loads.  The  disadvantage  is  no 
guarantee  of  transmission  for  the  node.  [Ref.  5:p.  184] 

The  Token  ring  uses  sequential  control  to  give  access  to 
each  node  via  a  token.  The  token  ring  access  method  is  "used 
within  ring  topologies  that  handle  messages  as  discrete 
packets."  [Ref.  5;p.  185]  A  token  bus  approach  combines  the 
broadcast  characteristics  of  a  bus  topology  with  the  control 
features  of  token-passing  schemes.  [Ref.  5:p.  185] 


D.  TRANSMISSION  MEDIA 

Local  area  networks  use  various  media  to  provide  services. 

The  transmission  medium  is  the  physical  connection 
between  network  transmitters  (sources)  and  receivers 
(destinations)  ,  bridging  the  distance  between  them.  It  m.ay 
be  a  pair  of  wires,  coaxial  cable,  radio  waves,  optical 
fibers,  or  infrared  transmissions  through  the  atmosphere. 
[Ref.  10:p.  35] 

In  designing  a  local  area  network,  and  for  security 
purposes,  the  organization  must  consider  the  "characteristics 
of  the  medium,  immunity  to  noise,  and  cost."  [Ref.  10:p.  35] 

The  most  common  types  of  transmission  medium  are  twisted 
pair  copper  cables,  coaxial  cables  and  fiber  optics. 

The  oldest  and  most  common  transmission  medium  is  twisted 
pair.  "The  twisted  form  is  used  to  reduce  electrical 
interference  to  similar  pairs  close  by."  [Ref.  4:p.  58]  The 
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telephone  system  was  the  most  common  application  of  twisted 
pair. 

A  problem  with  twisted  pair  is  that  "copper  wire  has 
limitations  for  data  transmission  over  distances  of  any 
magnitude."  [Ref.  7:p.  27] 

A  coaxial  cable  consists  of  a  stiff  copper  wire  as  the 
core,  surrounded  by  an  insulating  material.  The  insulator 
is  encased  by  a  cylindrical  conductor,  often  as  a  closely 
woven  braided  mesh.  The  outer  conductor  is  covered  in  a 
protective  plastic  sheath.  [Ref.  4:p.  58] 

Coaxial  cable  is  better  than  twisted  pair  in  noisy 
environments.  Coaxial  cable  is  either  baseband  or  broadband. 
Baseband  coaxial  is  digital  and  uses  a  50  ohm  cable.  The 
advantages  include  excellent  noise  immunity  and  high 
bandwidth . 

Broadband  coaxial  cable  is  used  in  cable  television  and 
uses  analog  transmission.  Broadband  in  computer  networks 
means  "any  cable  network  using  analog  transmission."  [Ref. 
4:p.  60] 

"One  key  difference  between  baseband  and  broadband  is  that 
broadband  systems  need  analog  amplifiers  to  strengthen  the 
signal  periodically."  [Ref.  4:p.  60]  "Baseband  is  simple  and 
inexpensive  to  install,  and  requires  inexpensive  interfaces." 
[Ref.  4:p.  61]  Baseband  is  adequate  for  data  communication  up 
to  a  distance  of  1  km  and  is  a  single  digital  channel.  Broad¬ 
band  is  multiple  channels  and  can  transmit  data,  voice  and 
video . 
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In  fiber  optics  data  are  transmitted  by  pulses  of  light 
through  non-conducting  glass.  "Currently  available  fiber 
optics  systems  can  transmit  data  at  or  about  1000  Mbps  for  1 
km."  [Ref.  4:p.  63] 

Many  of  the  problems  inherent  in  twisted  pair  and 
coaxial  are  avoided  with  fiber  optics,  although  the  optic 
properties  of  cable  can  be  affected  by  kinks  or  similar 
damage.  The  potential  transmission  speed  of  fiber  optic 
cable  is  higher  than  coaxial,  and  coaxial  is  higher  than 
twisted  pair.  [Ref.  7:p.  28] 

Another  advantage  of  fiber  optics  over  coaxial  is  that 
fiber  optics  can  run  long  distances  without  repeaters. 
"Security  is  excellent  because  fiber  does  not  radiate  and 
wiretappers  will  have  as  much  trouble  as  the  network  owners  in 
tapping  it."  [Ref.  4:p.  65] 

The  disadvantage  of  fiber  optics  is  its  high  cost.  The 
optic  cable  may  be  superior  for  security  purposes  but  may  not 
be  cost  effective  for  information  at  the  unclassified  level. 
Figure  3.2  depicts  the  three  types  of  transmission  media. 

Line-of-sight  transmission  is  sending  the  data  out  into 
the  air.  "In  particular,  transmission  by  infrared,  lasers, 
microwave,  and  radio  does  not  reguire  any  physical  medium." 
[Ref.  4:p.  65]  Line-of-sight  could  be  used  between  buildings 
when  it  may  be  expensive  to  dig  the  road  up  to  lay  a  cable. 

Laser  or  infrared  communication  is  fully  digital,  and  is 
highly  directional,  making  it  almost  immune  to  tapping  or 
jamming.  On  the  other  hand,  rain  and  fog  may  interfere  with 
the  communication,  depending  on  the  wavelength."  [Ref.  4:p. 

65] 
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(a)  Twiaced  pair. 


or  Insulation  Mesh  or  Sleeve  Protective  Cover 


(b)  Coaxial  cable  acrand. 


Cladding  Jacket  Cover 


(c)  Oocical  fiber  cable. 

Source:  [Ref.  ll:p.  83] 

Figure  3.2  Transmission  Media 
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E.  LAN  STANDARDS  OVERVIEW 

The  International  Standards  Organization's  (ISO)  Open 
Systems  Interconnection  (OSI)  model  "provides  a  general 
reference  framework  for  LAN  standards."  [Ref.  7:p.  21]  The 
model  involves  "connecting  open  systems — that  is,  systems  that 
are  open  for  communication  with  other  systems."  [Ref.  4:p. 
14]  The  OSI  model  is  separated  into  seven  layers  or 
functions.  These  seven  layers  are  the  physical,  data  link, 
network,  transport,  session,  presentation  and  application. 

The  Institute  for  Electrical  and  Electronic  Engineers 
(IEEE)  802  Committee  "is  attempting  to  provide  standards  that 
can  be  used  to  guide  the  manufacture  of  LAN  components  and 
software."  [Ref.  7:p.  21] 

The  standards  were  written  for  CSMA/CD,  token  bus  and 
token  ring.  "Standard  802.3  deals  with  Carrier  Sense  Multiple 
Access  with  Collision  Detection  (CSMA/CD)."  [Ref.  7:p.  33] 
"A  token  passing  bus  standard  is  described  by  802.4  standard 
and  802.5  defines  a  token  ring  system."  [Ref.  7:p.  33] 

F.  COMPARISON  OF  LOCAL  AREA  NETWORKS 

This  section  compares  the  strength  and  weaknesses  of  the 
three  LAN  standards. 

CSMA/CD  (802.3)  is  the  most  widely  used  today.  A  major 
advantage  of  CSMA/CD  is  that  stations  or  nodes  do  not  have  to 
wait  for  a  token  to  transmit.  Therefore,  delay  of  communicat¬ 
ing  at  low  level  is  basically  zero.  [Ref.  4:p.  163] 
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The  major  disadvantages  of  CSMA/CD  are  no  priorities  for 
transmission  and  drop  in  efficiency  at  high  loads. 

At  high  load,  the  presence  of  collisions  becomes  a  major 
problem,  and  can  seriously  affect  the  throughput.  802.3  is 
not  well  suited  to  fiber  optics  due  to  difficulty  of 
installing  taps.  [Ref.  4:p.  163] 

Token  Bus  (802.4)  uses  "highly  reliable  cable  television 
eguipment."  [Ref.  4:p.  163]  "It  is  more  deterministic  than 
802.3  and  has  excellent  throughput  and  efficiency  at  high 
load."  [Ref.  4:p.  164]  Token  Bus  can  support  data,  voice  and 
video.  Since  a  node  must  wait  for  the  token  to  communicate, 
the  token  bus  has  a  "substantial  delay  at  low  load."  [Ref. 
4:p.  164] 

The  token  ring  uses  point-to-point  connections  and  the 
throughput  and  efficiency  at  high  load  are  excellent.  "The 
use  of  wire  centers  make  the  token  ring  the  only  LAN  that  can 
detect  and  eliminate  cable  failure  automatically."  [Ref.  4;p. 
164  ] 

For  people  planning  to  run  their  LAN  in  overloaded  mode, 
802.3  is  definitely  not  the  way  to  go.  For  people  planning 
to  run  with  light  to  moderate  load,  all  three  perform  well, 
so  that  factors  other  than  performance  are  probably  more 
important.  [Ref.  4:p.  164] 


G.  SUMMARY 

This  chapter  has  provided  a  general  review  of  the  basics 
of  local  area  networks  and  a  general  understanding  of  LAN 
terminology.  The  following  chapter  presents  classifications 
of  security  problems  in  a  local  area  network. 
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IV.  CLASSIFICATION  OF  SECURITY  PROBLEMS  IN  LANS 


A.  INTRODUCTION 

This  chapter  addresses  security  in  local  area  networks. 
Security  issues  are  compiled  from  various  sources  into  a 
security  model.  The  literature  on  computer  security  is 
classified  into  five  major  areas:  hardware  security,  data 
security,  data  communication  security,  physical  security  and 
human  related  security  (Figure  4.1). 


COMPUTER  SECURITY 


Hardware 

Software 

Physical 

Data 

Human 

Security 

communi¬ 

related 

cation 

security 

Figure  4.1  Components  of  Computer  Security 

In  establishing  a  security  program,  the  objectives  must  be 
clear  and  the  threats  identified.  According  to  the  National 
Computer  Security  Center,  the  three  objectives  of  information 
security  are  [Ref.  12:p.  2]: 
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Confidentiality  of  personal,  proprietary,  or  otherwise 
sensitive  data  handled  by  the  system. 

Integrity  and  accuracy  of  data  and  the  processes  that 
handle  the  data. 

Availability  of  systems  and  the  data  or  services  they 
support . 

The  threats  to  accomplishing  these  objectives  include 
[Ref.  12:p.  2]: 

Lack  of  awareness  or  concern  for  the  implications  of 
computer  security  issues. 

Carelessness,  errors,  or  emissions. 

Equipment  and  media  failure  hazards. 

Intentional  attacks  by  disgruntled  or  dishonest 
personnel,  hackers,  or  hostile  agents. 

Different  people  perceive  different  threats.  Aaron 
Brenner  in  the  LAN  Tutorial  Series  for  LAN  Magazine  describes 
the  three  basic  threats  as  [Ref.  13:p.  29]: 

Physical  theft. 

Electronic  tampering. 

Unauthorized  access. 

Physical  theft  involves  employees  "stealing  computers, 
taking  floppies  with  data,  and  tapping  into  the  cable."  [Ref. 
13 :p.  29]  "Electronic  tampering  covers  computer  viruses  and 
malicious  reprogramming."  [Ref.  13 :p.  29]  Unauthorized 

access  involves  employees  seeing  information  they  shouldn't 
see  [Ref .  13 ;p.  29 ]  . 
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B.  SECURITY 


1 .  Hardware 

a.  Lack  of  Built-in  Security  Mechanisms 

A  personal  computer  has  a  lack  of  built-in 
security  mechanisms.  The  typical  personal  computer  does  not 
support  the  following  security  mechanisms  common  to  larger 
systems  [Ref.  12:p.  4]: 

Multiple  processor  states — enabling  separate  "domains" 
for  users  and  system  processes. 

Privileged  instructions--liroiting  access  to  certain 
functions  (e.g.,  reading  and  writing  to  disk)  to  trusted 
system  processes. 

Memory  protection  features — preventing  unauthorized 
access  to  sensitive  parts  of  the  system. 

Additionally,  "few  personal  computers  have 
hardware  features  that  simplify  installation  of  security 
measures  such  as  a  supervisor  mode  for  sensitive  instructions, 
hardware  addressing  limitations,  or  restricted  access  to 
input/output  devices."  [Ref.  12:p.  4]  For  these  reasons 

"relatively  unsophisticated  attacks  can  overcome  access 
control  software  or  authentication  techniques."  [Ref.  12 :p. 
4] 

b.  Electromagnetic  Emanations 

Electronic  equipment  emit  electromagnetic  signals. 
Emanations  produced  by  computers  equipment  "can  be  detected 
and  translated  into  readable  form  by  monitoring  devices." 
[Ref.  12 :p.  4]  "Security  measures  intended  to  combat  these 
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radio  frequency  emissions  are  known  as  'Tempest'  controls." 
[Ref.  14:p.  84] 

Tempest-certified  hardware  is  secured  from  radio 
frequency  (RF)  emanations.  The  main  concern  of  Tempest 
equipment  is  containment  of  its  own  RF  signals.  [Ref.  14 :p. 
84] 

Although  Tempest  keeps  the  data  from  leaking  or 
emitting,  a  relevant  comment  is  made  by  Belden  Merkus ,  an 
independent  security  consultant, 

Tempest  does  not  do  all  that  it  is  supposed  to  do 
because  there  are  some  in  the  intelligence  community  who 
don't  want  it  to  be  too  good.  Sidney  Smith,  an  Anglican 
clergyman  in  England  in  the  late  18th  century  said  that  the 
rat-catcher  does  not  want  to  catch  all  the  rats--otherwise 
he  would  be  out  of  business.  [Ref.  I4:p.  84] 

An  emerging  technology  in  the  transmission  of  data 
in  networks  is  RF  LANs.  RF  LANs  "allows  very  convenient 
computer  networking  without  the  burden  of  running  cables  to 
each  terminal  or  computer."  [Ref.  15:p.  225]  Transmissions 
are  sent  via  radio  waves.  This  is  a  security  eavesdropper's 
dream  for  information  to  be  broadcast  in  the  open.  [Ref. 
15:p.  225] 

The  U.S.  Government  has  spent  a  fortune  on  containing 
accidental  radio  frequency  emissions  from  equipment  used  in 
secure  facilities  through  the  TEKPEST  program.  It  seems 
ironic  that  the  very  latest  networking  equipment  should 
deliberately  broadcast  data  over  the  airwaves.  [Ref,  15:p. 
225] 


34 


Software 


2 . 

a.  License  Violations 

When  an  organization  buys  software  it  has  an 
obligation  not  to  sell  copies,  use  for  personal  use,  or  use 
extra  copies  not  specified  by  the  license  agreement.  [Ref. 
8:p.  105]  Since  license  softwares  are  no  longer  copy 

protected,  it  is  increasingly  difficult  for  the  organization 
to  control  unauthorized  duplication  of  software. 

b.  Weaknesses  of  PC-based  Operating  Systems 

The  operating  system  performs  the  day-to-day 
computer  functions  automatically  so  the  user  is  not  involved 
in  the  basic  operations  of  the  system,  MS-DOS  is  the  most 
popular  disk  operating  system  for  IBM-compatible  personal 
computers.  Because  MS-DOS  is  so  popular,  numerous  utilities 
are  available  ”to  do  things  like  obviate  copy  protection, 
expose  disk  sub-structures  and  do  sophisticated  file/disk 
copying."  [Ref.  6:p.  51]  These  utilities  "expose  all  data  on 
the  local  workstation  or  LAN  file  server  to  security  risks." 
[Ref.  6:p.  51] 

c.  Viruses 

Attention  has  focused  recently  on  security  of 
computers.  National  television  and  the  press  have  stirred 
excitement  about  viruses  in  computer  systems.  Viruses  are  a 
small  portion  of  the  computer  security  problem.  Peter  Coffee 
111  PC'  Week  summarized  by  stating: 
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The  virus  problem  is  distracting  valuable  attention  from 
threats  that  are  far  more  common.  Cheap,  simple  protection 
against  those  common  problems  will  make  you  immune  to  most 
of  the  damage  a  virus  can  do.  [Ref.  16:p.  46] 

First,  what  is  a  virus  when  dealing  with 

computers? 

A  virus  is  a  program  that  can  infect  other  programs  by 
modifying  them.  The  term  virus  arises  because  the  infected 
program  can  be  modified  to  include  a  copy  of  the  virus 
program  itself,  so  that  the  infected  program  then  begins  to 
act  as  a  virus,  infecting  other  programs.  The  viruses 
eventually  overtake  the  entire  computer  system.  [Ref.  9:p. 
178  ] 

A  brief  history  of  viruses  is  important  to  realize 
the  threats  of  a  virus.  The  cases  discussed  give  insight  on 
how  viruses  enter  the  system  and  possible  consequences.  It  is 
important  to  realize  that  even  viruses  or  games  that  were 
played  in  fun  can  disrupt  work  and  overload  the  system.  A 
virus  can  do  damage  such  as  crashing  the  system,  erasure  of 
data,  or  destruction  of  systems  programs  [Ref.  17 :p.  21]. 

Some  famous  viruses  include  the  IBM  "Christmas 
virus,"  the  Lehigh  virus,  the  Jerusalem  virus  and  the  Internet 
worm.  Each  of  these  viruses  are  unique  and  will  be  discussed 
in  general  terms  in  the  following  paragraphs. 

The  IBM  "Christmas  virus"  sent  a  Christmas 
greeting  on  the  electronic  mail  system  on  the  internal  IBM 
computer  network.  When  an  individual  attempted  to  clear  the 
screen  the  virus  went  into  the  computer's  distribution  ] ist 
and  sent  the  message  to  everyone  on  the  list.  The  Christmas 
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greeting  spread  exponentially  through  the  network  and 
eventually  the  network  crashed.  [Ref.  17 :p.  21] 

The  Lehigh  virus  is  so-named  because  it  was 
discovered  at  Lehigh  University  in  Bethlehem,  Pennsylvania. 
The  Lehigh  virus  is  considered  an  active  virus.  "The  active 
virus  is  a  virus  that  damages  or  destroys  systems."  [Ref. 

18:p.  26] 

The  virus  hid  in  the  Disk  Operating  System  (DOS) 
in  the  COMMAND.COM  file.  This  file  is  executed  every  time 
entries  are  made  into  the  keyboard.  Since  the  virus  hid  in 
the  stack  space  of  the  COMMAND.COM  file,  the  file  size  did  not 
change.  The  changing  of  file  size  is  usually  a  way  to  detect 
a  virus  but  not  in  this  case.  [Ref.  18:p.  26] 

Once  the  virus  was  in  place,  whenever  a  user  typed  a  DOS 
command,  the  virus  would  check  to  see  if  there  was  a  non- 
infected  COMMAND.COM  file  on  the  system.  If  so,  it  infected  it 
and  incremented  a  counter  that  kept  track  of  how  many  other 
disks  it  had  infected.  The  virus  would  then  execute  the 
user's  DOS  command.  All  this,  unbeknownst  to  the  user.  [Ref. 

18:p.  26] 

When  the  counter  hit  four,  the  virus  would  erase 
the  hard  disk,  including  the  boot  sector  and  the  file 
allocation  table  (FAT) .  The  virus  did  leave  two  trails. 
First,  the  date  on  the  COMMAND.COM  file  would  change.  Second, 
the  write  light  would  be  on  the  disk  being  infected.  [Ref. 

18:p.  26] 

The  Jerusalem  virus  was  hidden  in  the  install 
progr^im  on  the  master  disk  [Ref.  19:p.  26].  The  virus  made 
the  news  because  it  was  supposed  to  strike  on  Friday,  the  13th 
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of  October.  The  virus  did  not  cause  major  damage  but 
emphasized  that  the  network  infected  had  no  preventions 
against  viruses. 

The  Internet  worm  downed  over  60,000  PCs  on  the 
Internet.  The  Internet  is  a  worldwide  network  connecting 
academic,  business,  and  military  computers.  A  worm  is  a  type 
of  virus  which  reproduces  itself.  [Ref.  20:p.  74] 

As  the  above  viruses  illustrated,  viruses  are 
usually  created  for  a  specific  software  or  hardware 
environment  [Ref.  21:p.  25].  "MS-DOS  based  viruses  may  tag 
onto  application  programs  such  as  .COM  or  .EXE  files."  [Ref. 
21:p.26]  This  type  of  virus  on  DOS  usually  changes  the  file 
size  and  date  [Ref.  2i:p.  26]. 

Computer  viruses  enter  the  system  in  two  ways. 
The  user  "enters  an  infected  program  into  the  system  or 
telecommunication  link  allows  a  virus  to  cross  from  one  system 
to  another."  [Ref.  17:p.  22]  The  second  way  is  via  telecom¬ 
munications.  "When  telecommunications  is  the  medium,  dial-in 
access  is  often  found,  because  dial-in  opens  the  system  to  a 
sometimes  hostile  world."  [Ref.  17;p.  22] 

Even  innocent  activities  can  lead  to  a  virus.  An 
employee  may  bring  a  program  to  work  from  a  computer  bulletin 
board.  Although  the  program  is  for  personal  use,  the  program 
is  infected  and  the  virus  attaches  to  the  operating  system. 
[Ref.  17:p.  22] 
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In  summary,  there  are  certain  aspects  of  networks 
that  make  networking  a  "virtual  petri  disk  for  breeding 
computer  infection."  [Ref.  20:p.  73]  Michael  Reimer, 
executive  vice  president  of  Cleveland-based  Fountain  Ware, 
says  "the  one-to-one  relationship  between  PCs  and  users  is  one 
of  the  single  greatest  points  of  risk  on  the  network."  [Ref. 
20:p.  73]  Other  points  of  entry  for  viruses  include  bulletin 
boards  and  diskettes.  The  threats  to  the  system  are  the 
integrity  of  the  database  and  service  denial. 

3 .  Communication 

Remote  connections  are  an  easy  and  convenient  manner 
to  connect  to  a  network  from  home  or  another  network.  A  local 
area  network  with  a  modem  capability  can  connect  to  another 
network.  Remote  logins  are  convenient  to  take  work  home  and 
access  the  network  from  the  user's  personal  computer.  The 
problem  is  that  "anything  extremely  useful  and  convenient  that 
deals  with  sensitive  data  is  a  security  disaster."  [Ref. 
22:p.  38] 

The  two  major  security  problems  with  remote  connec¬ 
tions  are  illegal  entrance  by  computer  hackers  and  access  to 
Bulletin  Board  Systems  (BBS) . 

Since  access  is  easy  for  users,  access  is  also  easy 
for  the  computer  hacker.  A  problem  with  remote  logins  is  that 
hackers  attempt  random  numbers  on  the  telephone  until  they 
obtain  a  dial  tone  and  then  enter  the  network  or  PC  [Ref.  8:p. 
105]  . 
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Second,  if  access  to  a  dial-out  modem  is  easy, 
uncontrolled  download  of  files  from  the  Bulletin  Board  Systems 
(BBS)  may  occur.  Bulletin  boards  are  a  primary  source  of 
virus  infection  and  many  systems  are  toll  calls  [Ref.  8:p. 
105] .  Therefore,  if  dial-out  lines  are  available,  abuses  may 
occur  without  adequate  controls  [Ref.  22:p.  38]. 

4 .  Physical  Security 

An  important  consideration  in  the  design  of  a  LAN  is 
physical  security.  Physical  security  encompasses  many  areas 
and  has  lasting  effects  on  the  operation  of  the  network. 
Physical  security  deals  with  locks,  equipment  and  electrical 
power  to  mention  a  few.  The  most  comprehensive  definition  of 
physical  security  is  given  by  the  Federal  Property  Management 
Regulations . 

Federal  Property  Management  Regulations  define 
physical  security  as, 

...the  sum  of  construction  features  and  the  use  of  locks, 
guards,  badges,  and  similar  measures  to  control  access  to  a 
facility  (location)  as  well  as  the  measures  required  to 
protect  personnel  and  property,  including  the  structures 
housing  the  computer,  their  contents,  and  related  equipment, 
from,  but  not  limited  to,  damage  from  accident,  fire,  loss 
of  utilities,  environmental  hazards,  and  unauthorized 
access,  [Ref.  23:p,  41] 

Physical  security  in  this  section  is  divided  into 
workstations,  servers,  diskette  dilemma,  cabling  and 
environmental  damage. 
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a.  Workstations 


With  the  growth  of  computers  at  home,  the  chances 
of  stealing  increases  in  the  work  environment.  A  defective 
board  from  the  home  computer  can  be  easily  swapped  at  work  for 
a  working  board.  Since  the  microcomputer  is  easy  to  access, 
computer  parts  can  be  swapped  or  stolen  undetected.  [Ref. 
24;p.  15] 

"The  highest  security  risk  in  a  LAN  is  the 
workstation."  [Ref.  6:p.  52]  The  user  has  free  access  to 
DOS-based  workstations  which  is  convenient  for  stealing  of 
sensitive  data  [Ref.  6:p.  52]. 
b.  Servers 

As  discussed  in  Chapter  III,  the  file  server  is 
the  heart  of  the  LAN.  Most  servers  are  unprotected  against 
disk  removal.  Additionally,  servers  are  subject  to  theft 
because  of  physical  size.  Uncontrolled  access  to  servers 
could  cause  potential  loss  of  data  through  misuse  of  the 
server  console  [Ref.  6:p.  52]. 

Another  concern  with  servers  is  using  personal 
computer  clones. 

Some  LAN  vendors  repackage  IBM  Personal  Computer  AT 
clones  and  call  them  servers.  This  can  be  a  source  of 
problems,  because  a  network  server  will  be  driven  far  harder 
than  any  AT.  It  is  best  to  look  for  a  vendor  who  builds 
minicomputer-like  systems  designed  to  work  24  hours  a  day  for 
years.  [Ref.  25:p.  19] 
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Diskette  Dilemma 


c , 

The  diskette  is  the  most  common  medium  for  the 
input  and  output  of  Information  from  the  computer.  The 
advantage  is  that  the  diskettes  are  compact  and  easy  to  carry. 
The  disadvantages  are  that  they  can  easily  be  copied,  stolen 
or  damaged.  [Ref.  24:p.  13] 

The  oroblem  is  that  organizations  place  very 
little  control  on  diskettes.  Labelled  and  unlabelled 
diskettes  are  usually  scattered  around  the  working  area  of  the 
microcomputer.  End-users  do  not  place  a  priority  on  security 
of  diskettes.  [Ref.  24:p.  13] 

"Once  the  information  is  stored  on  the  local  disk, 
there  are  typically  no  security  processes  in  place  to  prevent 
an  unauthorized  user  from  obtaining  it."  [Ref.  6;p.  51] 

d.  Cabling 

Cable  topology  "is  the  basis  for  physical 
security."  [Ref.  25:p.  19]  The  two  major  standards  for  cable 
topology  are  IEEE  802.3  (Ethernet)  and  IEEE  802.5  (token 
ring)  .  The  selection  of  token  ring  or  Ethernet  will  affect 
reliability  of  the  system.  Token  ring  design  has  fewer  active 
components.  [Ref.  25:p.  19]  Therefore,  it  is  "easier  to 

locate  and  isolate  problems  on  a  token  ring."  [Ref.  25:p.  19] 
The  tradeoff  is  that  Ethernet  failures  occur  less  often  than 
token  ring  [Ref.  25:p.  19] 

Cabling  is  a  major  component  of  network  stability  and, 
because  of  the  capital  investment  involved,  one  that  is 
difficult  to  alter  if  improperly  designed.  Shortcuts 
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degrade  security  in  ways  that  are  difficult  to  quantify  and 
correct.  [Ref.  25:p.  19] 

Cabling  is  not  the  area  in  which  "low  initial  cost 
should  be  a  design  objective  because  of  operational  and 
security  reasons."  [Ref.  25:p.  19] 

"Cable  is  one  of  the  first  and  easiest  places  for 
a  LAN  security  breach  to  occur."  [Ref.  14:p.  84]  Copper- 
based  systems  can  be  tapped  easily.  Twisted-pair  or  other 
copper  cable  don't  need  contact  with  the  cable  to  be  tapped. 
Instead,  an  electromagnetic  pick-up  and  an  antenna  device  can 
be  built  for  under  $20.  [Ref.  14:p.  84] 

Another  weak  spot  for  LAN  security  is  electromag¬ 
netic  signal  leakage  or  emanations.  The  cabling  and  the 
connectors,  amplifiers  and  tap  boxes  leak  a  portion  of  the 
signal.  "These  leaked  signals  can  be  turned  into  readable 
data."  [Ref.  14:p.  84] 

A  not-so-obvious  security  problem  is  running 
unshielded  twisted-pair  near  electrical  devices  such  as 
electric  pencil  sharpeners  [Ref.  26:p.  96]  "Electromagnetic 
radiation  emanating  from  electromechanical  and  electronic 
devices  can  crash  your  system."  [Ref.  26:p.  96] 

"Fiber  is  somewhat  more  secure,  since  the  loss  of 
light  caused  by  a  tap  is  often  detectable."  [Ref.  14 :p.  84] 
Fiber  optics  is  not  free  from  tapping.  Since  a  connection  is 
required  to  expand  the  network,  the  connections  are  the 
possible  weak  point  [Ref.  14:p.  84]. 
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e.  Environment  Damage 

An  important  area  in  physical  security  is 
electrical  power  and  effects  on  the  computer  system.  The 
"quality  and  reliability  of  the  network's  electrical  power 
supply"  must  be  considered  for  the  LAN  to  function  properly 
[Ref.  27:p.  120]. 

A  study  completed  by  IBM  and  Bell  Labs  determined 
"that  power  disturbances  occur  on  the  average  of  two  times  a 
week  for  most  commercial  sites."  [Ref.  27 :p.  120]  Addition¬ 
ally,  the  studies  determined  "that  a  large  proportion  of 
disturbances  are  generated  within  the  building."  [Ref.  27 :p. 
120] 

A  personal  computer  operates  on  120  volt  service. 
The  American  National  Standards  Institute  (ANSI)  define 
steady-state  voltages  for  120  volt  service  "as  a  continuous 
operation  at  a  range  from  108  to  125  volts  alternating  current 
(VAC)  for  120  VAC."  [Ref.  27:p.  120]  So,  a  personal  computer 
does  not  receive  exactly  120  volts. 

In  the  above  mentioned  study,  the  following  power 
line  disturbances  were  identified: 

Sags. 

Surges. 

Failures. 

Oscillations. 

Spikes  or  impulses. 
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"Sags  are  cycle-to-cycle  decreases  in  the  power 
line  voltage  below  80  percent  of  the  nominal  value  lasting 
less  than  several  seconds."  [Ref.  27:p.  120] 

A  sag  can  cause  two  problems  to  the  computer 
system.  If  a  sag  occurs,  "it  causes  the  computer  power  supply 
to  detect  low  voltage  on  its  output,  resulting  in  computer 
shutdown."  [Ref.  27 :p.  122]  This  could  cause  loss  of  data  if 
user  was  writing  a  file  to  storage  at  the  time  of  the  sag. 
Power  blackouts  can  cause  similar  problems  to  sags.  [Ref. 
27:p.  122]. 

The  problem  becomes  more  severe  if  the  duration  of 
the  sag  "is  approximately  egual  to  the  holdup  time  of  the 
power  supply  in  the  computer."  [Ref.  27  :p.  122]  This  can 
"cause  a  reversal  of  the  '1*  and  'O'  in  memory,  causing  the 
destruction  of  programs  and  data  in  RAM."  [Ref.  27 :p.  122] 

"Surges  are  cycle-to-cycle  increases  in  the  power 
line  voltage  above  110  percent  of  the  nominal  value  lasting 
less  than  several  seconds."  [Ref.  27:p.  120]  Surges  account 
for  the  majority  of  hardware  damage  and  can  stress  computer 
components,  especially  power  supplies  [Ref.  27 :p.  122]. 

Failures  are  a  zero  voltage  or  an  outage.  Fail¬ 
ures  can  cause  the  same  damages  as  sags. 

"Oscillations  or  noise  have  a  frequency  range  of 
400  Hz  to  five  KHZ,  with  beginning  amplitude  from  15  percent 
and  up  to  100  pt.-.-cnt  of  nominal  line  voltage."  [Ref.  27  :p. 
120]  Oscillations  rarely  occur  from  wall  receptacles. 
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Oscillations  cause  computer  power  supply  and  other  hardware 
component  damage.  [Ref.  27:p.  122] 

Spikes  or  impulses  are  an  "over  voltage  superim¬ 
posed  on  the  line  voltage  waveform  which  lasts  between  0.5  and 
100  microseconds  and  has  an  amplitude  over  100  percent  of  peak 
line  voltage."  [Ref.  27:p.  120]  Spikes  "are  rapid  excursions 
of  voltage."  [Ref.  27:p.  122]  Spike/transient  suppressors 
have  become  popular  because  spikes  can  cause  destruction  of 
computer  hardware  or  damage  software  [Ref.  27-p.  127]. 

Table  4.1  summarizes  the  average  frequency  of 
disturbances  in  the  United  States,  as  determined  by  the  IBM 
and  Bell  Labs  studies.  Power  protection  needs  of  a  LAN 
usually  rely  on  wall  receptacle  power  "rather  than  a  dedicated 
power  line  at  the  building  entrance."  [Ref.  27 :p.  122] 

5 .  Human-Related  Security 

The  user  is  involved  in  many  aspects  of  LAN  security 
"If  data  resides  on  a  LAN  of  fewer  than  20  workstations  with 
no  connection  to  the  outside  world,  how  great  is  your 
exposure?"  [Ref.  8:p.  100]  The  risk  and  exposure  may  be 
greater  due  to  careless  users  than  determined  crackers  [Ref. 

8 : p .  100 ] . 

The  truth  is  "more  data  are  lost  and  damaged  through 
carelessness  than  through  planned  intrusion."  [Ref.  8:p.  100] 
Mistakes  made  by  an  honest  user  may  cause  more  problems  than 
a  computer  hacker. 
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TABLE  4.1 


FREQUENCY  OF  POWER  DISTURBANCES 


DISTURBANCE  TYPE  OCCURRENCE  PER  MONTH 


Building  Entrance 
(IBM) 

Wall  Receptacle 
(Bell  Labs) 

Sag 

1.5 

4.0 

Surge 

1.0 

0.3 

Power  Failure 

0.6 

1.0 

Oscillation 

26.0 

not  recorded 

Spike 

1.0 

2 . 0 

All  Disturbances 

Per  Week 

7.5 

1 . 8 

Source:  [Ref. 

27:p.  120] 

C.  SUMMARY 

Five  areas  were  discussed  and  all  play  an  integral  part  in 
implementing  a  security  policy  for  LANs.  As  discussed  in  this 
chapter,  the  greatest  security  risk  may  be  the  user.  Non- 
malicious  destruction  of  data  by  the  user  is  a  definite 
concern.  The  following  chapter  examines  the  possible  control 
solutions  to  the  security  problems  discussed  in  this  chapter. 
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V.  CLASSIFICATION  OF  CONTROL  SOLUTIONS  FQp 

A.  INTRODUCTION 

This  chapter  surveys  various  control  me?»^uies  in  local 
area  networks.  Although  all  the  controls  discussed  may  not  be 
indispensable,  it  is  important  to  be  aware  of  the  security  and 
control  issues  when  designing  a  local  area  network  and 
planning  for  future  expansion. 

The  amount  of  security  will  depend  upon  the  threat 
perceived  [Ref.  13  :p.  29].  The  most  important  area  to 
consider  for  control  measures  is  the  level  of  security 
reguired  for  the  network.  The  security  level  set  will  depend 
upon  the  importance  of  the  data,  the  network  utilized,  and  the 
availability  of  money  [Ref.  13;p.  29].  "The  level  of  security 
your  installation  requires  is  a  big  factor  in  what  network 
operating  system,  security  features  and  security  equipment  you 
should  install."  [Ref.  6:p.  54] 

Classification  of  security  needs  could  be  categorized  into 
three  areas:  low  or  no  access  control,  medium  access  control, 
or  high  access  control  [Ref.  6:p.  56]. 

If  no  security  controls  are  required,  any  network 
operating  system  (NOS)  can  function  safely.  Significant  cost 
savings  could  be  made  in  low  access  control  by  peer-to-peer 
architecture.  [Ref.  6:p.  56] 
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Table  5.1  is  the  LAN  security  spectrum  and  provides 
examples  of  application  types  and  suggested  security  features 
for  a  LAN. 


TABLE  5.1 

THE  LAN  SECURITY  SPECTRUM 


SECURITY 

REQUIREMENTS 

APPLICATIONS 

SECURITY  FEATURES 

Low/no  access 
control 

General  office 
applications 

-  Peer-to-peer 
architecture 

-  Password 
pi jtection 

Medium  access 
control 

Sensitive  data, 

proprietary 

software 

-  Client-server 
architecture 

-  Password 
protection 

-  Access  control 
to  directories 

High  access 
control 

Classified/ 
secure  data 

-  Client-server 
architecture 

-  Password 
protection 

-  Diskless 
workstations 

-  Security 
monitoring 

-  Access  reporting 

Source : 

[Ref.  6:p.  51] 

A  low  security  local  area  network  can  be  characterized  by 
the  following  [Ref.  6:p.  56]: 
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Peer-to-peer  architecture. 

DOS  disk  format. 

Bootable  workstations  (local  storage) . 

No  required  directory  in  file  access  control. 

Shareable  printers  across  the  network. 

The  spectrum  of  PC  LAN  security  is  very  wide.  Possible 
security  features  in  a  high  access  control  are  [Ref.  6:p.  56]: 
Dedicated  file  server. 

Non-MS-DOS  disk  format. 

Diskless  workstations. 

Access  control  down  to  the  lowest  level  possible  file. 
Encryption  of  passwords. 

Security  monitoring  and  accounting. 

Network  encryption  devices. 

Printers  attached  to  secure  file  server. 

No  remote  login. 

Fault-tolerant  design. 

Most  organizations  are  somewhere  between  the  two  extreme 
levels  of  the  security  spectrum. 

Control  issues  for  a  LAN  are  divided  into  three  major 
areas : 

Physical  access. 

Logical  access. 

Administrative  controls. 

Physical  access  deals  with  the  controlling  access  to 
equipment.  Logical  access  involves  access  to  the  data.  This 
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type  of  access  is  the  responsibility  of  the  network  operating 
system.  [Ref.  6:p.  51]  "It  is  via  the  NOS  that  'logical' 
control  for  information  access  is  carried  out."  [Ref.  6:p. 
51] 


Password  access  to  servers,  input/ output  (I/O)  rights  to 
directory  or  file  structures,  fault  tolerance  and  user 
accounting  features  are  all  part  of  the  support  provided  by 
a  network  operating  system.  [Ref.  6:p.  51] 

Administrative  controls  involve  upper  management,  the  LAN 
manager  and  the  user.  All  thrc<=>  ^-^-e  integral  elements  in 
designing  a  LAN. 

Finally,  the  organization  must  assess  the  cost  of  the 
control  measures  versus  the  loss  of  software  or  hardware. 
"Security  begins  with  an  honest  assessment  of  what  you  can 
afford  to  lose  and  how  likely  you  are  to  lose  it."  [Ref.  8:p. 
100] 


A  control's  cost  should  be  less  than  the  resulting 
reduction  in  expected  loss.  This  is  dramatically  indicated 
by  the  caveat--one  should  not  kill  a  fly  with  a  sledge¬ 
hammer.  That  is,  a  control  may  be  effective,  but  it  will 
not  be  efficient.  [Ref.  28:p.  14] 

A  good  LAN  security  program  involves  prevention,  detection 
and  recovery.  This  is  graphically  depicted  in  Figure  5.1. 
This  chapter  examines  these  three  areas. 


B.  PHYSICAL  ACCESS 

There  are  five  methods  of  access  control  [Ref.  29:p.  202]. 
The  first  method  is  visual  recognition  of  the  individual  by  a 
guard  or  receptionist  locat'^d  at  the  point  of  entry.  Visual 
recognition  is  used  together  with  other  methods  of  access 
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PREVENTION 


DETECTION 


LAN  SECURITY  PROBLEM 

Hardware 
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Physical 

Security 
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cation 

Human 

Related 

Security 
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Figure  5.1  A  Security  Model 

control .  The  second  method  uses  a  key  to  lock  or  a  badge  or 
card  that  activates  some  form  of  reader.  Method  three  is 
based  on  combination  to  a  lock  or  a  password.  A  handwritten 
signature  is  the  fourth  method.  The  last  method  is  based  on 
measuring  elements  of  the  human  anatomy.  This  method  is 
called  biometrics.  [Ref.  29:p.  202] 
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1 .  Locks 


Locks  are  the  basic  level  to  deter  physical  tampering 
of  computer  systems.  The  devices  are  inexpensive  and  range 
from  $20  to  $100.  [Ref.  30:p.  108]  Devices  are  available 
"that  lock  the  PC's  keyboard,  on/off  switch,  backplate,  or 
cover  screw  or  one  that  locks  your  PC  itself  to  the  desk, 
floor,  or  any  other  permanent  fixture."  [Ref.  30 :p.  108] 
"The  most  basic  form  of  physical  security  is  keeping  equipment 
behind  locked  doors  or  bolting  it  to  the  floor."  [Ref.  13 :p. 
29]  This  is  a  precaution  for  equipment  being  stolen. 

Another  method  is  to  prevent  physical  access  to  the 
data  on  the  computer.  The  lock  on  most  PC  ATs  is  an  example 
of  this  measure.  The  PC  AT  lock  is  located  in  the  front  of 
the  computer.  When  the  system  is  locked  the  computer  can  not 
be  booted  and  it  is  difficult  to  take  off  the  computer  cover. 
Most  people  are  concerned  with  losing  the  key  and  not  being 
able  to  use  the  computer  so  they  do  not  lock  the  computer. 
[Ref.  30:p.  Ill]  As  in  a  lot  of  security  issues,  the  lock  has 
become  more  of  ?  nuisance  than  a  protector.  A  viable  option 
is  to  keep  the  file  server  in  a  secure  room  or  closet.  This 
prevents  direct  access  to  the  heart  of  the  LAN. 

Aarons  and  Raskin  [Ref.  30 :p.  108]  state  that  board 
swapping  is  the  next  wave  in  nonmalicious  tampering.  Board 
swapping  is  malicious  in  an  organization.  "The  best 
protection  against  board  swapping,  tampering,  and  messing 
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under  the  hoods  are  locks  for  the  cover  screw  or  backplate  of 


the  PC."  [Ref.  30;p.  108] 

In  summary,  locks  are  important  to  reduce  theft  but 
should  be  low  profile.  Otherwise,  the  PC  may  "look  like  a 
prisoner  on  a  chain  gang."  [Ref.  30:p.  108] 

2 .  Diskless  PCs 

Diskless  PCs  are  another  method  of  securing  a  LAN. 
Diskless  PCs  use  no  floppy  or  hard  disk  drive.  The  diskless 
PCs  make  it  difficult  to  load  viruses  onto  the  network.  And 
as  important,  "diskless  PCs  prevent  users  from  stealing 
corporate  information  or  software."  [Ref.  31 :p.  86] 

Diskless  PCs  stop  individuals  from  loading  virus- 
infected  software  from  bulletin  boards  and  using  unlicensed 
software . 

The  diskless  PCs  have  two  disadvantages.  First, 
diskless  PCs  may  have  a  hard  time  receiving  acceptance  due  to 
previously  purchased  computers  in  the  organization. 
Organizations  desire  to  connect  the  computers  already 
available  rather  than  adding  additional  cost  for  more 
computers.  Second,  users  need  the  capability  to  use  the 
microcomputers  when  the  network  is  down.  [Ref.  32 :p.  58] 

3 .  Biometrics 

Biometrics  uses  characteristics  of  an  individual's 
body  to  gain  access  to  a  room  or  to  a  computer.  The  devices 
measure  information  that  is  unique  to  a  person  such  as 
fingerprint,  handprint,  retina  pattern,  voice  pattern  or 
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signature.  The  body  characteristics  of  the  user  are  stored  as 
models  in  the  biometrics  devices.  Access  is  granted  when  the 
user's  body  characteristics  are  compared  to  the  information 
stored  in  the  biometrics  device  and  confirmed.  Access  is 
denied  if  there  is  no  match.  [Ref.  33:p.  90] 

The  convenience  of  biometrics  is  their  simplicity 
because  there  are  no  passwords,  keys,  badges  to  maintain  or 
remember.  For  example,  the  retina  pattern  device  obtains  a 
scan  of  the  blood  vessel  pattern  in  the  retina.  All 
individuals  have  a  unique  retina  pattern  and  once  these  are 
verified,  the  user  gains  access.  [Ref.  33 :p.  90] 

The  major  advantage  of  biometrics  is  the  difficulty  in 
duplicating  an  individual's  body  characteristics.  At  present, 
the  major  disadvantage  of  biometrics  is  the  high  cost.  The 
second  disadvantage  is  that  errors  do  occur  in  the  system. 

Errors  usually  occur  for  two  reasons.  First,  the 
guality  of  the  measurement  process  is  imprecise  [Ref.  29:p. 
202].  Second,  "the  human  physical  characteristics  being 
measured  by  these  systems  can  vary  significantly  from  day-to- 
day  and  even  within  a  particular  day."  [Ref.  29 :p.  202]  An 
illness  by  the  user  may  cause  a  change  in  the  metabolism  to 
affect  the  readings  of  the  biometrics  device  [Ref.  29:p.  202]. 

Errors  experienced  by  biometrics  access  control  systems 
usually  are  dealt  with  by  permitting  up  to  three  attempts  at 
securing  entry  before  an  individual  is  denied  access  by  the 
device  being  used.  When  this  occurs  the  individual  involved 
usually  is  required  to  telephon-e  a  designated  individual 
stationed  within  the  controlled  area  and  to  secure  admission 
through  this  person.  [Ref.  29:p.  203] 
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A  test  was  conducted  to  examine  the  reliability  and 
ease  of  use  of  various  biometrics.  The  devices  tested 
included  a  retina  verification  device,  a  finger/thumb 
verification  device,  a  hand-geometry  identification  device  and 
a  signature-verification  device.  The  test  results  are  shown 
in  Table  5.2. 


TABLE  5.2 


RESULTS 

OF  BIOMETRICS 

READINGS 

1st 

2nd 

3rd 

Device 

Attempt 

Attempt 

Attempt 

Rejected 

Eye 

10 

Finger 

20 

5 

Thumb 

12 

10 

2 

1 

Hand  geometry 

21 

4 

Signature 

9 

1 

Biometrics  are  extremely  accurate.  The  importance  of 
the  initial  entry  measurements  can  not  be  over-emphasized. 
Most  devices  at  the  end  of  the  initial  entry  give  a  number  for 
the  quality  of  the  data.  This  usually  determines  ease  of 
access  and  how  many  attempts  the  user  will  have  to  try  for 
access . 

The  eye  and  the  signature  survey  were  conducted  using 
tv/o  separate  days  for  testing  with  five  attempts  each  day. 
The  finger,  thumb  and  hand-geometry  test  involved  one  week  of 
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testing  with  five  attempts  completed  each  day.  Each  test 
allowed  three  attempts  at  entrance  before  the  device  denied 
access.  The  reason  for  a  five-day  test  on  these  devices  was 
to  determine  if  the  day-to-day  metabolism  could  change  access. 
It  appeared  that  changes  in  metabolism  had  a  small  affect  on 
the  results.  The  major  discrepancy  with  the  thumb  device  was 
due  to  trying  to  determine  the  position  for  the  thumb  on  the 
device.  Since  the  finger  and  thumb  use  the  same  device,  the 
thumb  always  overlapped  the  position  holder.  Unable  to  place 
the  thumb  in  the  exact  same  position  each  day  resulted  in  a 
varying  success  rate. 

The  most  secure  system  and  easiest  to  use  was  the 
retina  verification  device.  The  user  was  verified  the  first 
time  in  a  trial  of  ten  attempts. 

Signature  verification  equipment  was  the  least  secure 
for  biometrics  security  equipment.  The  author  gained  access 
on  signature  on  the  first  attempt  every  time.  The  problem  was 
one  student  was  able  to  duplicate  the  rhythm  of  the  signature 
while  copying  the  signature,  and  gain  access.  No  other  device 
accepted  forgeries. 

As  the  prices  drop  for  biometric  devices,  this 
technology  could  be  used  in  the  start-up  procedures  for  a 
local  area  network.  [Ref.  22:p.  43] 

4 .  Passwords 

One  of  the  forms  of  user  authentication  is  passwords. 
Passwords  are  a  simple  and  effective  method  to  control  access 
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to  a  computer  and  network.  "A  user  must  know  a  legitimate 
password  to  gain  access  to  the  system."  [Ref.  14:p.  84] 

Because  of  the  user's  tendency  to  share  passwords  and  keep  the 
same  password  for  years,  passwords  must  be  managed. 

Selecting  passwords  correctly  is  fundamental  to  any 
security  program.  The  object  is  to  select  a  password  of  which 
other  users  and  computer  hackers  can  not  make  an  educated 
guess  and  predict  the  password.  The  problem  is  users  pick 
easy  passwords  such  as  first  name,  last  name  or  display  the 
password  directly  on  the  computer.  [Ref.  14:p.  84] 

Perhaps  10%  of  all  computer  accounts  use  between  50  and 
60  common  passwords.  This  reduces  the  effective  number  of 
passwords  from  208  billion  to  600--which  are  very  good  odds 
indeed.  This  is  an  area  where  hackers  use  custom  computer 
programs.  Their  machine  can  call  your  system  over  the  phone 
lines.  [Ref.  34:p.  42] 

The  following  list  of  do's  and  don't 's  are  presented 

to  assist  in  password  development  [Ref.  35:p.  6]: 

Don't  use  your  login  name  in  any  form  (password  system 
may  have  a  login  name  such  as  your  name) . 

Don't  use  your  first  or  last  name  in  any  form. 

Don't  use  your  spouse's  or  child's  name. 

Don't  use  other  information  that  is  easily  obtained, 
including  license  plate  numbers,  telephone  numbers, 
social  security  numbers,  the  brand  of  your  car,  the  name 
of  the  street  you  live  on,  etc. 

Don't  use  a  password  of  all  digits,  or  all  the  same 
letter  that  could  significantly  decrease  the  search  time 
for  a  cracker. 

Don't  use  a  word  contained  in  dictionaries,  spelling 
lists,  or  other  lists  of  words. 

Don't  use  a  password  shorter  than  six  characters. 
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Do  use  a  password  with  mixed-case  alphabetic. 

-  Do  use  a  password  with  non-alphabet ic  characters,  e.g., 
digits  or  punctuation. 

Do  use  a  password  that  is  easy  to  remember,  so  you  don't 
have  to  write  it  down. 

Do  use  a  password  that  you  can  type  quickly.  This  makes 
it  harder  for  someone  to  steal  your  password  by  watching 
over  your  shoulder. 

There  are  many  different  strategies  for  selecting  a 
password.  These  various  strategies  for  picking  passwords  are 
summarized  in  Table  5.3.  Table  5.3  provides  example  of 
different  strategies  and  the  security  level  of  each  strategy. 

The  first  strategy  is  to  have  no  password  or  type  in 
the  words  "password  or  XXXX."  The  second  strategy  is  to  pick 
something  easy  to  remember  like  "sex,  drugs,  etc."  These 
passwords  are  easy  to  remember  and  popular  but  have  a  low 
security  level.  [Ref.  34:p.  42] 

The  third  strategy  is  to  have  a  random  generator  pick 
passwords  using  upper-case,  lower-case,  numbers  and  punctua¬ 
tion.  An  example  of  this  would  be  "Z#Lu%p*v."  This  method 
would  apparently  be  the  best  method.  The  problem  is  the 
password  is  so  random  that  users  can  not  memorize  the  code  and 
must  write  the  password  down.  Usually,  this  is  done  next  to 
the  computer.  The  protection  against  attack  is  poor  and  not 
a  recommended  strategy.  [Ref.  34:p.  44] 

The  fourth  method  is  to  use  "long,  but  misspelled, 
common  English  words."  [Ref.  34 :p.  42]  An  example  of  this 
would  be  spelling  computer  as  "computre."  The  security  level 


59 


TABLE  5.3 


PASSWORD  STRATEGIES 


Strategy 

1 

Strategy 

2 

Strategy 

3 

Strategy 

4 

Strategy 

5 

Method 

Pass¬ 
words? 
Weren  ’  t 
they 

install¬ 
ed  by 
the 

manufac¬ 

turer? 

Users 
select 
their 
own 
pass¬ 
words  . 

Assign 
random 
pass¬ 
words  . 

Long, 
but  mis¬ 
spelled, 
common 
English 
words . 

Pseudo¬ 
random 
pass 
phrases . 

Security 

level 

Nil.  Can 
be,  and 
is 

broken 

by 

unintel- 
1 igent 
11-year- 
olds  . 

Low. 

Regular¬ 

ly 

broken 

by 

intelli¬ 
gent  14- 
year- 
olds  . 

Low. 

Pass¬ 
words 
are  so 

random 
that 
employ¬ 
ees  can 
not  re¬ 
member 
them. 

High. 

These 

are  not 

likely 

to  be 

cracked 

by 

amateurs 
or  dic¬ 
tionary 
sweep 
programs 
if 

unusual 

words 

are 

chosen . 

Very 

high. 

Provides 

good 

combin- 

nation 

of  upper 

and 

lower 

case 

letters 

as  well 

as 

punctu¬ 

ation. 

Examples 

No 

password 

Sex 

6fTa . 8Ac 

Computre 

IsjtAi53 

PASSWORD 

Money 

P[q41Mn 

expandly 

WRa81?Ge 

XXX 

drugs 

lKaH%%u 

rivrerun 

TBlatStd 

Protec¬ 

tion 

None 

None 

Poor  to 

none 

Good 

Very 

good 

Conclu¬ 

sion 

Not 

recom¬ 

mended 

Not 

recom¬ 

mended 

Not 

recom¬ 

mended 

Recom¬ 

mended 

Highly 

recom¬ 

mended 

Source:  [Ref.  34: p.  42] 
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in  this  strategy  is  high  and  the  passwords  are  hard  to 
duplicate.  [Ref.  34:p.  42] 

The  last  and  fifth  strategy  is  using  pseudo-random, 
pseudo-phrase  passwords.  This  strategy  is  "theoretically 
almost  as  secure  as  true  random  generation."  [Ref.  34 :p.  44] 
"The  user  invents  an  eight-word  phrase  and  enters  the  first 
letters  of  each  word."  [Ref.  34 :p.  44]  Examples  of  this 

strategy  are  provided  below  [Ref.  34:p.  42]: 

IsjtAi53  =  "I  stupidly  joined  the  Army  in  53." 

-  WRa81?Ge  =  "Wong's  Restaurant  at  81st?  Great  eats." 

TBlatStd  =  "Twas  Bril  Lig  and  the  Sly  they  doves"  did 
gyre  and  gymble. .. (thanks  to  Lewis  Carroll). 

The  Department  of  Defense  also  emphasized  certain 

areas  for  passwords.  The  recommendations  from  DoD  Password 

Management  Guideline  include  [Ref.  36:p.  2]: 

Users  should  be  able  to  change  their  own  passwords. 

Passwords  should  be  machine-generated  rather  than  user- 
created. 

Certain  audit  reports  (e.g. ,  date  and  time  of  last  login) 
should  be  provided  by  the  system  directly  to  the  user. 

Finally,  a  password  policy  should  be  developed. 
First,  passwords  should  not  be  written  down  or  stored  on  a 
file  on  the  computer.  By  writing  the  password  down  or  storing 
in  a  file  the  user  is  dependent  on  the  security  of  the  file  or 
paper.  Second,  users  should  not  give  passwords  to  others.  By 
giving  out  the  password,  the  user  does  not  know  if  the 
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password  will  be  distributed  further.  Third,  passwords  must 
be  changed  periodically,  about  twice  a  year.  [Ref.  35:p.  6] 

C .  RECOVERY  CONTROLS 
1 .  Backups 

Backup  procedures  involve  making  copies  of  the 
programs  and  the  data  files.  Backups  represent  the  ultimate 
protection  against  infections  from  viruses  and  employees  who 
accidentally  delete  files  and  erase  entire  directories. 

There  are  different  types  of  files  that  should  be 
considered  in  the  backup  system.  These  files  include  [Ref. 
37;p.  105]: 

Hidden  files  containing  the  master  lists  of  all  network 
names  and  passwords. 

Security  files,  which  list  the  rights  and  privileges  of 
each  network  user. 

Files  that  have  been  stored  by  individual  network  users 
on  their  hard  disks. 

When  backing  up  three  types  of  files,  a  LAN  backup 
"requires  enough  storage  space  for  all  of  the  data  on  the 
LAN's  shared  hard  disk,  and  in  some  cases,  individual  users' 
hard  disks  as  well."  [Ref.  37:p.  97] 

There  are  two  types  of  backup  options:  backup  to  disk 
or  backup  to  tape.  Backup  to  floppy  disk  takes  a  considerable 
amount  of  time  and  an  abundance  of  disk.  The  second  method 
under-disk  is  to  backup  to  another  hard  disk  or  to  a  removable 
hard  disk.  A  removable  hard  disk  enables  the  user  to  replace 
the  broken  hard  disk  easily.  The  only  problem  is  that  current 
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removable  hard  disks  only  have  a  capacity  of  4C  megabytes 
(MB).  [Ref.  38:p.  23] 

Backup  to  tape  is  the  most  popular  method.  The 
advantages  of  tape  backup  are  convenience  and  less  expense. 
The  tape  devices  can  be  mounted  internally  in  the  5-1/4  inch 
slots  on  the  PC,  but  most  are  attached  externally  [Ref.  38 :p. 
23  ]  . 


A  new  option  is  optical  disk.  This  option  is  better 
used  for  storage  of  data  than  backup  since  the  data  on  Write- 
Once-Read-Many  can  not  be  changed  [Ref.  38 :p.  23]. 

Backups  should  be  completed  as  the  situation  demands 
and  a  grandfather  system  should  be  used.  In  extreme  cases 
backups  could  be  performed  several  times  during  the  day,  but 
at  the  minimum  once  a  day.  [Ref.  8;p.  107] 

Grandfathering  uses  a  system  that  insures  important 
data  is  not  lost  because  of  various  problems  including 
viruses.  First,  backup  every  file  in  the  LAN  and  this  is  the 
baseline.  If  the  entire  system  fails,  this  is  the  backup  to 
restore  the  system.  [Ref.  8:p.  107] 

Second,  make  daily  backups,  which  you  keep  until  the  end 
of  the  week.  At  week's  end,  you  do  the  weekly  backup,  which 
you  keep  for  a  month.  Rerurn  the  daily  tapes  to  use  for 
next  week's  backups. 

Now,  each  month,  do  a  monthly  backup,  which  you  keep  for 
a  year.  Thus,  you  have  four  dcilies.  On  Friday,  you  keep 
a  weekly.  At  the  end  of  the  month,  you  have  four  weeklies. 
At  the  end  of  the  year,  you  have  12  monthlies.  And  you 
always  have  the  baseline  backup.  Only  backup  files  that 
change  (incremental  backup).  Then  when  you  need  to  restore 
an  entire  drive,  you  start  with  the  baseline  anci  then  update 
with  the  most  recent  incremental  backup.  If  you  find  a 
virus  in  your  backup,  you  can  move  to  an  earlier  backup 
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(that's  why  you  grandfather)  and  the  worst  you'll  have  to  do 
is  reenter  a  month's  worth  of  data.  [Ref.  8:p.  107] 

The  backup  is  usually  not  perceived  as  crucial  until 
data  are  lost.  With  a  local  area  network  the  system  must  be 
designed  with  a  backup.  An  effective  backup  system  is 
required  because  of  the  many  users  and  amount  of  important 
information  in  the  databases.  [Ref.  37  :p.  97]  As  will  be 
discussed  later  in  this  chapter,  more  information  is  lost  by 
nonmalicious  employees  than  by  viruses  and  stealing. 

In  summary,  backup  is  only  effective  if  done  on  a 
regular  basis.  "A  good  rule  of  thumb  is  backup  the  files  that 
change  every  day,  and  backup  the  program  executable  once  a 
week."  [Ref.  38:p.  24] 

2 .  Audit  Trails 


Once  an  individual  penetrates  the  system,  "security 
issues  revolve  around  detecting  breaches  and  identifying  who 
is  committing  them."  [Ref.  14:p.  88] 

An  audit  trail  is  a  program  that  constantly  records 
information  about  what  is  going  on  the  network — who  is 
logging  in  and  out,  who  is  running  what  application  who  is 
deleting  what  file.  It's  often  possible  to  detect  and 
identify  an  intruder  with  an  audit  trail.  [Ref.  14 :p.  88] 

Audit  trails  have  two  drawbacks.  An  obvious  problem 
is  that  someone  must  have  the  time  to  read  all  the  recorded 
information  and  understand  it.  "In  a  LAN,  people  record  their 
hearts  out  but  nobody  ever  looks  at  it,"  says  Peter  Krauss  of 
LAN  VAR  LAN  Services  (New  York,  NY)  .  The  LAN  manager  should 
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review  audit  trial  at  least  once  a  week  for  anomalies.  [Ref. 
14:p.  88] 

Another  problem  is  that  audit  trails  use  a  large 
amount  of  disk  space.  This  disk  space  problem  can  be  reduced 
by  monitoring  the  network  at  certain  hours.  Of  course, 
restricting  audit  trail  hours  reduces  security.  [Ref.  31 :p. 
88]  . 

Since  every  transaction  is  recorded  on  the  network,  an 
audit  trail  is  an  effective  security  tool.  [Ref.  31:p.  88] 

3  .  Disaster  Recovery  Plans 

Disaster  recovery  is  for  a  major  catastrophe  such  as 
a  fire,  flood,  earthquake  or  disk  crash.  The  organization 
must  determine  how  extensive  the  recovery  system  should  be. 
As  mentioned  in  the  backup  section,  "recovery  schemes  depend 
upon  the  importance  of  data,  the  quantity  of  data,  your  budget 
and  the  time  the  system  can  be  down."  [Ref.  39 :p.  32] 

A  disaster  recovery  plan  may  involve  fault-tolerant 
features.  Fault  tolerance  is  "protection  of  data  against 
hardware  failure."  [Ref.  6:p.  54]  Fault-tolerant  features 
"include  redundant  servers,  hardware,  disks,  utilities  and 
files."  [Ref.  39:p.  32] 

Two  methods  of  fault  tolerance  include  disk  bad-track 
handling  and  mirrored  disks.  Disk  bad-track  handling 
recognizes  that  "every  disk  has  flaws  and  important  for 
software  to  deal  with  this  transparently."  [Ref.  6:p.  54] 
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Mirrored  disks  is  "writing  data  to  two  separate  disk 
drives  so  both  drives  will  contain  the  same  logical  data." 
[Ref.  6:p.  54] 

Before  considering  expensive  fault-tolerance  features, 
one  should  consider  the  basics.  The  basic  steps  before  fault- 
tolerance  systems  are  power  protection  and  tape  backup.  Since 
the  servers  are  constantly  on,  the  servers  should  be  protected 
by  an  uninterruptable  power  supply  (UPS) .  [Ref.  40 ;p.  60]  "A 
UPS  is  basically  a  huge  battery."  [Ref.  40:p.  202]  When  the 
power  is  lost,  the  UPS  starts  to  work. 

Additionally,  fault  tolerance  does  not  take  the  place 
of  tape  backup.  For  example,  if  a  virus  infects  one  disk,  the 
other  disk  is  automatically  infected  with  disk  mirroring. 
[Ref.  40:p.  60] 

D.  DATA  SECURITY  CONTROL 

1 .  Virus  Prevention  and  Detection 

Prevention  is  the  most  important  area  when  dealing 
with  viruses.  Knowledge  of  proper  procedures  and  anti-virus 
programs  can  save  the  organization  many  headaches. 


The  first  preventive 

method  is 

to 

"limit 

network 

access  to  legitimate  users." 

[Ref.  41:p. 

78] 

This 

involves 

proper  password  security  procedures  and  an  operating  system 
that  grants  access  to  data  on  a  need-to-use  basis  [Ref.  41:p. 

78]  . 


66 


Secondly,  anti-virus  software  is  on  the  market  to  deal 
with  viruses.  "Common  elements  of  anti-virus  software  are 
programs  that  monitor,  detect  and  protect  against  virus 
infection."  [Ref.  21;p.  28] 

Pirated  programs  and  free  software  should  not  be  used. 
These  programs  could  carry  a  virus.  Ensure  the  anti-virus 
programs  purchased  are  not  viruses  in  disguise  themselves. 

To  prevent  this,  "centralize  software  purchasing  or  have  an 
approved  vendor  list."  [Ref.  18:p.  27] 

The  computer  bulletin  board  systems  (BBS)  are 
susceptible  to  viruses.  Restrict  the  use  of  dial-out  lines 
and  restrict  access  to  the  BBS.  Software  is  available  to 
restrict  the  access  to  only  approved  telephone  numbers.  Since 
viruses  run  from  executable  files,  files  ending  in  .EXE  or 
.COM,  users  should  not  copy  executable  programs  from  the 
bulletin  boards.  [Ref.  8:p.  105] 

Besides  anti-virus  programs  and  using  original 
software,  the  most  important  element  is  to  test  the  software 
on  a  separate  personal  computer  before  installing  on  the 
network.  By  testing  on  an  isolated  computer  this  precludes 
the  virus  from  infecting  the  entire  network.  [Ref.  41:p.  78] 
Preventive  measures  for  viruses  are  listed  in  Table 


5.4. 

If  the  prevention  methods  fail,  how  are  the  viruses 
detected?  If  the  virus  is  complex,  the  virus  may  i;cc  be 
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TABLE  5.4 


PREVENTIVE  MEASURES  FOR  VIRUSES 


1.  Limit  network  access  to  legitimate  users. 

2.  Centralize  software  purchasing  or  have  an 
"approved"  vendor  list. 

3.  Don't  use  unknown  software. 

4.  Use  a  write  tab  on  "suspect"  disk. 

5.  Instruct  employees  on  the  dangers  of  viruses. 

6.  Make  all  .EXE  and  .COM  files  on  PCs  read  only. 

7.  Test  all  new  software  on  an  isolated  system  before 
loading  on  network. 

8.  Make  working  copies  of  all  original  diskettes. 

9.  Check  system  programs,  utilities,  and  applications 
regularly  for  unusual  behavior. 

10.  Remove  any  suspicious  programs  with  a  utility  that 
completely  overwrites  the  disk  space  formerly 
occupied  by  the  deleted  files. 

11.  Make  frequent  backup  copies  of  files. 

12.  Log  all  access  or  attempted  accesses  to  the 
network . 

13.  Never  boot  a  hard  disk  system  with  a  floppy  disk. 

14.  Use  Anti-virus  programs. 

15.  Restrict  access  to  bulletin  board  systems. 

Sources:  [Refs.  41:p.  78;  18:p.  27] 
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detected  until  it  is  too  late.  A  few  methods  for  detecting 

virus  are  [Ref.  18:pp.  28-29]; 

Check  file  sizes  against  a  previously  established  table. 

-  Use  utilities  or  programs  that  search  all  program  files 
for  strange  text. 

Set  system  clock  to  the  future. 

Look  for  strange  files  on  the  system. 

Once  a  victim  of  a  virus,  the  computer  should  be 
pulled  off  the  network  and  the  virus  isolated.  If  the  virus 
is  detected  early,  then  the  backup  tapes  can  be  used  for 
restart.  Lefore  reloading,  turn  off  the  power  to  the  system 
to  ensure  that  random  access  memory  (RAM)  is  cleared.  If  the 
virus  is  complicated,  a  computer  expert  should  be  called. 
[Ref.  13;p.  29] 

Backups  are  the  primary  method  of  recovering  from  a 
virus.  Copies  of  original  vendor  software  should  be  made  as 
a  back  ip. 

Ti  viruses  cannot  be  prevented  or  cured,  it  is  essential 
that  the  means  be  available  to  recover  from  them.  Only 
thorc . gh  backup  can  make  that  possible.  [Ref.  17 :p.  23] 

Finally,  anti-virus  programs  alone  are  inadequate  to 
provide  the  necessary  prevention  against  viruses.  To  preclude 
future  v^iruses  a  strong  prevention  program  including  anti¬ 
virus  programs  and  backups  are  recommended.  The  bottom  line 
is  viruses  require  efrective  controls  of  software  and 
responsiole  personnel.  "Effective,  security-conscious , 
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vigilant  management  is  the  solution  to  computer  viruses,  as  it 
is  all  computer  security  problems."  [Ref.  17 :p.  23] 

2 .  Operating  System 

Once  access  has  been  gained  into  the  network,  controls 
should  be  set  for  the  type  of  data  the  user  can  access. 
Currently,  most  network  operating  systems  have  file  security 
systems.  [Ref.  14 ;p.  85]  The  file  security  system  enables 
the  LAN  manager  to  "determine  directories  and  even  individual 
files  a  given  user  can  have  access  to."  [Ref.  14 :p.  85]  The 
LAN  manager  can  also  "set  the  type  of  access,  detei-m.ining 
whether  the  user  can  only  read  a  file  or  whether  he  has  full 
read/write  access."  [Ref.  14 :p.  85] 

In  this  way,  there  can  be  a  whole  hierarchy  of  security 
within  a  system,  allowing  certain  users  access  to 
directories  A,  B,  C  and  the  accounting  database,  while 
others  have  access  to  directories  D,  E  and  F  and  the 
inventory  database.  Access  roust  also  be  controlled  to 
programs.  There  must  be  a  way  to  prevent  users  from  running 
programs  they  do  not — or  should  not--need.  [Ref.  14:pp.  85- 
87] 

3 .  Encryption 

If  the  data  are  valuable  or  classified,  then  the  lines 
should  be  secure.  One  way  of  doing  this  is  encryption. 
Encryption  codes  the  information  before  the  data  are  sent  on 
the  network.  Encryption  "is  one  of  the  best  security  methods 
for  local  links."  [Ref.  22 :p.  38]  "For  remote  connections, 
encryption  is  the  only  answer  to  keep  information  secure." 
[Ref.  22:p.  38] 
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Encryption  is  not  widespread  because  it  costs  money. 
"An  encryption  program  costs  twice  the  price  of  a  LAN  card." 
[Ref.  14 :p.  88]  An  unclassified  or  low  security-level  system 
would  not  require  encryption  of  data.  Presently,  encryption 
slows  the  network  by  the  time  required  to  code  and  decode 
messages.  Many  LAN  managers  just  encrypt  passwords  because 
encryption  is  expensive.  [Ref.  14:p.  88] 

E.  COMMUNICATION 

When  a  legitimate  need  for  dial  out  is  required,  use  a 
communication  server.  As  discussed  in  Chapter  III,  the 
communication  server  allows  the  users  to  connect  to  other 
networks  through  one  modem.  A  combination  facsimile  and  modem 
board  provides  "the  advantage  of  making  both  dial  out  and  fax 
available  to  all  network  users."  [Ref.  8:p.  105] 

All  users  rarely  need  outside  connections.  When  they 
do,  however,  use  the  communications  server  approach  and 
write  scripts  that  automate  (and  restrict)  the  outside 
numbers  to  which  users  can  connect.  [Ref.  8:p.  105] 

Three  basic  rules  apply  when  using  remote  access  in  LANs 
[Ref.  22 :p.  38]: 

Should  have  dial  back  where  the  system  (modem)  dials  the 

authorized  user  back  after  calling. 

Turn  the  modem  off  when  not  in  use. 

Limit  the  number  of  tries  with  the  wrong  password. 

The  most  important  rule  for  remote  access  is  "no  outside 
access  when  dealing  with  sensitive  data."  [Ref.  22 :p.  44] 
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F.  CABLING  AND  ELECTRICAL  DESIGN 
1 .  Cabling 

The  type  of  cabling  is  an  important  security  decision. 
Fiber  optic  cable  is  "far  more  resistant  to  wiretapping  than 
other  media  and  should  be  considered  for  applications  where 
security  is  important."  [Ref.  15:p.  227] 

The  biggest  benefit  from  fiber  optics  in  terms  of  data 
security,  may  be  noise  immunity.  Since  fiber  optic  cable 
uses  light  as  a  transmission  source,  it  neither  emanates  nor 
is  it  susceptible  to  emanations  from  other  sources.  Fiber 
optic  cables  may  be  run  next  to  electric  motors  without 
experiencing  any  interference  from  the  motor's  field.  As 
long  as  the  cable  is  physically,  it  is  virtually  impossible 
to  tap.  [Ref.  42:p.  140] 

Additionally,  fiber  optic  physical  security  is  "less 
expensive  than  for  traditional  wire  cables  since  fiber  optics 
require  no  electrical  shielding."  [Ref.  8:p.  140] 

Connections  is  another  concern  with  cabling. 

By  placing  all  connections  in  a  locked  wire  closet  and 
providing  diagnostic  taps  and  tools,  the  system  is  protected 
against  vandalism,  troubleshooting  is  faster  and  the  network 
can  be  restored  to  service  more  rapidly  in  the  event  of  a 
cable, tap  or  access  unit  problem.  [Ref.  25:p.  19] 

Laying  the  cable  is  an  important  area  in  designing  a 
network.  Although  laying  the  cable  the  shortest  distance  is 
ideal,  it  may  be  more  headaches  than  it  is  worth.  Ideally, 
the  LAN  manager  needs  to  access  the  cable  for  troubleshooting 
if  required.  For  this  reason  proper  documentation  of  cabling 
layout  is  required.  [Ref.  39:p.  33] 

The  cable  tips  are  summarized  below  [Ref.  43:pp.  124- 
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Double  up  each  line.  Run  two  cables  instead  of  one. 

Use  wall  plates.  Looks  better  also  keeps  tension  off  the 
drop  cable. 

Avoid  running  copper  cabling  near  power  wires  and 
florescent  fixtures.  Watch  out  for  electromagnetic 
energy.  An  electric  pencil  sharpener  can  wreck  havoc  on 
a  network. 

Think  about  future  requirements. 

Check  the  codes  and  regulations  before  installing  cable 

*  Local  fire  codes. 

*  National  Fire  Protection  Association  Standards. 

*  The  National  Electrical  Code  (NEC) . 

*  Local  and  national  building  codes. 

*  Uniform  Building  Code. 

*  FCC  regulations  against  Radio  Frequency  Interference 
(RFI)  and  Electromagnetic  Interference  (EMI) . 

Avoid  placing  cable  in  areas  where  it  can  be  damaged. 

Realistically,  tapping  an  unclassified  network  would 
be  considered  a  low  probability  and  risk.  As  discussed,  the 
shielding  of  the  cable  is  an  important  element  for  noise 
immunity.  In  designing  a  low-risk  LAN,  the  noise  factor 
should  be  more  of  a  consideration  than  tapping  threats. 

2 .  Electrical  Power 

Electrical  power  is  an  important  security  area  for 
LANs.  Electrical  protection  should  cover  the  file  server  and 
other  critical  systems. 

An  IBM  study  determined  "that  uninterruptable  power 
systems  (UPS)  are  required  for  the  reliable,  continuous 
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operation  of  electrical  equipment."  [Ref.  27:p.  123]  On-line 
UPS  may  not  be  cost-effective  for  all  computer  applications. 
At  the  minimum,  surge  power  protectors  and  back  up  power  are 
required . 

As  depicted  in  Table  4.1,  there  are  1.8  power  distur¬ 
bances  per  week  from  wall  receptacles.  Since  PC-based  power 
is  from  wall  receptacles,  this  is  a  vulnerability  for 
equipment  operating  continuously  as  a  file  server.  An  on-line 
UPS  is  a  cost-effective  solution  when  the  equipment  is  running 
on  a  continuous  basis  such  as  the  file  server  [Ref.  27  :p. 
124]  . 

G .  MANAGEMENT  CONTROLS 

A  neglected  aspect  of  LAN  security  is  the  L/iN  manager 
[Ref.  6:p.  52].  The  LAN  manager  is  "responsible  for  setting 
up  passwords,  access  rights,  recovery  and  backup  procedures, 
and  monitoring  the  system  for  security  violations."  [Ref. 
6;p.  52] 

"It  doesn't  matter  whether  you  have  a  two-node  LAN  or  a 
200-node  LAN,  the  LAN  needs  a  LAN  administrator."  [Ref.  26:p. 
96]  Although  managing  an  entry-level  LAN  is  only  a  collateral 
job,  someone  must  be  responsible  for  monitoring  the  system. 

It  is  important  to  "train  more  than  one  person  as  the  LAN 
manager."  [Ref.  39  :p.  33]  Otherwise,  if  the  LAN  goes  down 
when  the  LAN  manager  is  gone,  all  the  work  stops.  "A  LAN 
manager  must  understand  DOS  and  the  networking  operating 
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system,  know  how  to  do  backups  and  to  troubleshoot  problems." 
[Ref.  39:p.  33] 

Management  should  evaluate  their  microcomputer  environment 
to  ensure  that  the  proper  controls  exist.  Management  should 
[Ref.  44:p.  27]: 

Develop  and  disseminate  data  security  policies  and 
procedures  to  all  employees. 

Analyze  information  in  terms  of  its  confidentiality  and 
sensitivity . 

Implement  appropriate  security  measures  over  information 
deemed  confidential  or  sensitive. 

Management  must  "balance  ease  of  use  with  security 


controls .  " 

[Ref. 

4  5  :  p . 

28] 

"Security 

measures  must  be 

designed  in 

a  way 

which 

will 

encourage 

user  compliance." 

[Ref.  45:p. 

78] 

Access 

control  measures 

such  as  "log  on 

security,  passwords,  physical  access  controls — terminal  lock 
and  key,  card-reading  devices  or  biometrics — and  terminal 
identification  are  of  no  help  if  they  are  ignored  or 
circumvented."  [Ref.  45:p.  781  The  organization  must  "strike 
a  balance  between  absolute  impregnability  and  user 
convenience."  [Ref.  45:p.  78] 

Basic  security  objectives  and  security  requirements 
should  be  "identified  at  the  beginning  to  avoid  needless 
replication  and  to  conserve  resources."  [Ref.  46:p.  24] 

"Security  is  as  much  about  preventing  data  loss  from 
errors  as  it  is  aboui.  preventing  intrusion."  [Ref.  8:p.  108] 
"Security  is  meant  to  keep  your  business  your  business.  But 
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it's  also  meant  to  help  users  do  their  jobs  safely  and 
conveniently."  [Ref.  8:p.  108] 

Security  is  an  attitude.  Security  must  be  emphasized  from 
top  managemenc  down.  Time  allowance  for  training  and  security 
awareness  is  essential.  A  large  portion  of  damage  to 
computers  is  unintentional  and  non-malicious  from  untrained 
personnel.  Security  awareness  for  new  personnel  is  required 
when  introducing  proper  procedures  for  using  microcomputers 
and  networks.  "Training  is  expensive,  but  not  nearly 
expensive  as  not  training."  [Ref.  47  :p.  24]  The  most 
effective  security  measure  is  the  trained  user. 

Training  is  an  important  control  ingredient.  Initially, 
users  should  be  grouped  by  skill  levels:  "whether  they  are 
new,  familiar  with  DOS,  familiar  with  word  processing,  or 
experienced  users."  [Ref.  39:p.  33]  Then  the  application 
courses  can  be  designed  for  different  skill  levels. 
Experienced  users  may  only  need  training  on  areas  unique  to 
LAN  operations.  [Ref.  39:p.  33] 

"Many  control  problems  in  the  microcomputer  environment 
are  due  to  inadequate  computer  training."  [Ref.  44 :p.  26] 
Users  without  training  "are  not  aware  of  pertinent  backup, 
programming  and  security  issues."  [Ref.  44 :p.  26]  "Training 
employees  on  the  proper  uses  of  a  computer  system  and  the 
responsibilities  associated  with  its  use  is  the  key  variable 
in  the  development  of  a  well-controlled  environment."  [Ret. 
44:p.  26] 
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"Surprisingly,  simpler  controls  are  often  better  able  to 
withstand  the  tests  of  time  because  they  are  understood  by 
management  and  others  who  must  support  them."  [Ref.  28:pp. 
14-15] 

The  final  decision  on  LAN  configuration  "becomes  a  matter 
of  cost,  support  of  required  features,  ease  of  installation 
and  requirea  administration  overhead."  [Ref.  6:p.  56] 

The  bottom  line  for  security  is  very  simple.  Decide 
what  you  realistically  need  in  security  with  your  risk  and 
exposure  assessment  and  then  apply  the  security  measures. 
Have  a  disaster  recovery  plan  and  a  written  security 
document  that  lays  down  policies  and  procedures.  [Ref.  8;p. 
108  ] 

Finally,  "plan  your  network  with  an  eye  to  the  future." 
[Ref.  42:p.  141] 

H.  THE  USER 

Without  the  understanding  and  cooperation  of  the  user  of 
the  system,  the  security  policy  and  control  solutions  will  be 
inadequate.  The  user  will  either  suppress  the  controls  or 
suppress  t]  "  automated  system  [Ref.  48:p.  j.x]  .  When  designing 
a  LAN  system,  the  effects  of  security  on  the  user  must  be 
considered.  "Security  imposes  restrictions  which  can  cause 
friction."  [Ref.  13;p.  30] 

Personnel  can  become  frustrated  by  security  measures  and 
attempt  to  circumvent  the  controls  [Ref.  13;p.  30].  Users 
will  not  conform  to  restrictions  if  they  don't  understand  the 
reasons . 
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A  solution  to  this  problem  "is  to  motivate  people  to 

cooperate."  [Ref.  13 :p.  30]  Mike  Hurwicz  suggests  the 

following  actions  [Ref.  13:p.  30]: 

Explain  the  reasons  for  security  procedures.  When  people 
understand  why  controls  are  necessary,  they  are  more 
likely  to  cooperate. 

Make  it  clear  to  prospective  and  current  employees  that 
everyone  is  expected  to  cooperate.  Establish  clear 
consequences  for  failure  to  cooperate. 

Be  specific  about  policies  and  procedures.  Write  them 
down  and  give  everyone  a  copy. 

Don't  overdo  it. 

Says  Hurwic.’ ,  "Enlisting  the  support  of  employees  is 
probably  the  single  most  cost-effective  security  precaution  a 
company  can  take."  [Ref.  13:p.  30] 

End  users  have  a  security  responsibility.  Users  must 
realize  the  "importance  of  keeping  passwords  to  themselves  and 
logging  off  their  computers  at  lunch  tim.e  and  also  at  the  end 
of  the  wor’-day."  [Ref.  45:p.  78]  At  the  end  of  the  day  or 
when  no  one  is  working  at  the  station,  sensitive  information 
should  be  cleared  from  the  workstation  including  what  is 
residing  on  accessible  memory.  Sensitive  matenial  must  be 
properly  protected  and  secured.  [Ref.  23 :p.  42] 

Any  security  program  must  involve  the  user.  The  user  must 
be  indoctrinated  in  why  these  procedures  are  necessary. 
Additionally,  the  user  must  be  security  awareness  trained. 
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Table  5.5  is  a  list  of  responsibilities  that  the  user 
should  have  for  a  PC  but  can  also  be  applied  for  local  area 
networks . 


TABLE  5.5 

PC  USERS'  RESPONSIBILITIES 


1.  Properly  securing  sensitive  inf ormation/data  and 
media  to  protect  against  unauthorized  destruction 
and  access. 

2.  Protecting  PC  equipment  and  media  against  the 
detrimental  effects  of  dirt,  heat,  coffee, 
magnets,  etc. 

3.  Labeling  PC-generated  information/reports  to 
differentiate  them  from  normal  data  processing- 
produced  data  to  include  the  creator's  name,  date, 
source,  cop  number,  etc. 

4.  Properly  documenting  programs  to  facilitate  the 
turnover  of  files  to  new  users. 

5.  Complying  with  software  licensing  agreements. 

6.  Making  backup  copies  of  essential  files  and 
programs . 

7.  Preparing  labels  for  PC  media.  (There  should  be  a 
standard  labeling  format  for  the  entire 
organization . ) 

8.  Prohibiting  unauthorized  access  to  information. 


Source:  [Ref.  23:p.  41] 


Often  the  users  comply  with  the  hard  regulations  and 
rules,  but  the  simple  and  common  sense  security  measures  are 


79 


often  neglected.  Common  sense  can  go  a  long  way  to  assist  in 
tliG  prevention  of  security  problems. 

The  link  between  management  controls  and  the  user  are 
training,  trust  and  cooperation.  Figure  5.2  depicts  the  User 
Security  Asset  Triangle.  To  have  an  effective  user  security 
program  all  three  areas  of  the  triangle  must  be  developed. 
For  example,  training  users  leads  to  cooperation  and  develops 
a  trust  of  management. 


Training 


Trust 


Cooperation 


Figure  5.2  User  Security  Asset  Triangle 


In  summary,  the  user  is  the  most  important  asset  and  also 
ttie  greatest  liability  [Ref.  18:p.  30].  The  organization's 
security  program  is  only  as  good  as  the  user.  Leaving 
passwords  attached  to  the  computer  and  tlie  key  in  the  computer 
are  habits  that  should  be  avoided. 

I .  SUMMARY 

This  chapter  has  emphasized  the  prevention,  detection  and 
recovery  elements  as  an  integral  part  of  system  design.  Tlie 
fundamental  elements  of  a  LAN  design  include  access 
protection,  communication  protection,  management  controls. 
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user  interface  and  a  recovery  system.  Each  of  these  areas 
must  be  examined  to  ensure  a  good  LAN  design. 

As  discussed  in  this  chapter,  access  protection  involves 
both  hardware  and  software.  The  hardware  includes  locks, 
keys,  diskless  PCs  and  biometrics.  The  software  control 
access  includes  passwords  and  access  restrictions  to  files  and 
directories . 

The  communication  protection  to  consider  is  call-back 
devices  for  verification  and  restricting  dial-up  capability. 

Management  controls  and  the  user  interface  can  not  be 
overemphasized.  The  LAN  manager  is  key  to  monitoring  the 
system  for  security  problems.  A  properly  trained  and  educated 
user  can  eliminate  many  security  problems. 

Finally,  the  recovery  system  is  an  essential  part  of  the 
design.  Backups  are  required  to  avoid  lost  data,  user 
mistakes  and  disaster  recovery. 
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VI .  RECOMMENDATIONS.  CONCLUSIONS.  AND  SUGGESTIONS 

FOR  FUTURE  RESEARCH 

A.  SUMMARY  OF  RESULTS 

The  primary  research  question  was  to  identify  the  security 
problems  and  control  issues  in  local  area  networks  (LANs) . 
The  aim  of  this  thesis  was  to  emphasize  the  prevention, 
detection  and  recovery  elements  as  an  integral  part  of  LAN 
system  design.  A  case  study  was  designed  to  help  officers 
stationed  at  naval  patrol  aviation  squadrons  gain  an 
appreciation  of  the  security  issues  in  an  unclassified  network 
environment.  Chapter  III  introduced  the  reader  to  basic  LAN 
terminology  including  LAN  architecture,  topology  and  access 
procedures,  and  transmission  media.  Various  security  problems 
in  LANs  were  discussed  in  detailed  in  Chapter  IV.  The  primary 
issued  related  to  hardware  security  resides  in  the  fact  that 
current  systems  lack  built-in  security  mechanisms.  Physical 
security  has  been  a  neglected  area  in  implementing  LANs. 
Effective  measures  should  be  taken  to  protect  cabling, 
workstations  and  electrical  power  from  unpredictable  damage. 
As  far  as  software  is  concerned,  license  violations,  lack  of 
robustness  of  PC-based  operating  systems,  and  viruses  remain 
to  be  the  most  critical  aspects.  Also,  illegal  access  by 
computer  hackers  presents  a  serious  threat  to  remote 
connections.  Finally,  human-related  security  problems  remain 
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the  utmost  issue  to  be  addressed.  Chapter  V  proposed  a 
taxonomy  of  control  solutions  for  LANs.  Depending  on  the 
security  spectrum,  various  physical,  logical  and  administra¬ 
tive  control  measures  could  be  devised.  Password  handling, 
recovery  procedures  including  backups  are  amongst  cost 
effective  control  strategies.  It  is  not  unusual  to  neglect 
LAN  management  as  one  aspect  of  LAN  security.  A  management 
control  plan  should  be  carefully  designed  to  appropriately 
empower  the  LAN's  managers,  and  to  promote  users'  awareness 
and  involvement  in  a  security  program. 

B.  RECOMMENDED  SOLUTIONS  FOR  THE  PROPOSED  CASE  STUDY 

The  following  security  concerns  are  discussed  in  the  case 
study : 

Diskette  dilemma. 

Software  theft/license  violations. 

Access  to  computer  bulletin  boards. 

Physical  access  controls  (locks). 

Password  strategy. 

Viruses. 

The  careless  user. 

Electrical  power. 

LAN  manager  controls. 

Recovery  systems  (backups,  audit  trails) . 

Unauthorized  access  to  information. 

Remote  logins. 
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virus  prevention. 

Tempest. 

Although  "Ringer's"  recommendations  are  adequate,  a  few 
recommendations  have  flaws.  For  example,  in  the  case, 
"Ringer"  suggested  incorrectly  that  the  anti-virus  program 
should  be  installed  on  the  network.  No  software  should  be 
authorized  on  the  network  until  tested  on  an  isolated  personal 
computer.  Anti-virus  programs  although  considered  important 
in  the  prevention  of  viruses,  when  considered  alone  are 
inadequate.  Management  controls  and  the  trained  user  are  key 
elements  in  preventing  viruses. 

Another  problem  discussed  by  "Ringer"  is  password 
strategy.  Password  systems  are  doomed  to  fail  if  the  codes 
are  ear  to  remember. 

LAN  Manager  was  another  topic  of  discussion  in  the  case. 
As  discussed  in  the  thesis,  a  LAN  of  more  than  three  computers 
require  a  LAN  Manager.  1  job  may  be  only  collateral,  but  it 
is  needed.  The  LAN  Manager  must  monitor  the  network,  check 
audit  trails  and  set  up  backup  procedures.  Audit  trails  are 
important  to  read  at  least  once  a  week  but  preferably  once  a 
day . 

Tempest  is  for  keeping  RF  signals  contained.  As  discussed 
in  the  case,  this  has  nothing  to  do  with  whether  classified 
information  can  be  installed  on  the  network.  Classified 
information  should  not  be  filed  on  the  hard  disk. 
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There  is  no  optimal  solution  to  designing  a  security 
system  for  a  LAN.  The  level  of  security  depends  on  the 
perceived  threats  and  the  risks.  A  risk  assessment  is 
required  when  changing  the  computer  structure  of  an 
organization.  After  the  risk  assessment  is  completed,  the 
security  measures  can  be  implemented. 

Organizational  objectives  pertaining  to  security  issues 
should  be  carefully  weighted  and  prioritized.  Finally,  common 
sense  is  an  important  ingredient  in  designing  a  security 
system.  Tight  controls  may  reduce  productivity  and  cause 
friction  in  the  working  environment.  Cn  the  other  hand, 
loose  controls  can  result  in  security  problems.  A  middle 
ground  should  be  established. 

C.  SUGGESTIONS  FOR  FUTURE  RESEARCH 

There  are  at  least  two  areas  of  study  that  could  be 
suggested  for  future  research. 

First,  all  security  program  requires  a  risk  assessment  to 
identify  and  assess  the  exposures  and  their  potential  damages. 
The  organization  must  determine  the  level  of  security 
perceived  as  necessary.  A  possible  area  for  research  is  to 
incorporate  risk  assessment  in  the  domain  of  LAN  security 
along  OPNAVINST  5239. lA  guidelines. 

Second,  the  materials  discussed  in  this  thesis  should 
provide  enough  information  to  implement  a  decision  support 
systems  that  would  comply  with  the  C2  level  of  security  by 
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1992  in  the  Navy.  The  criteria  classes  of  security  are  set 
from  a  level  of  class  D  for  minimal  protection  to  class  A  for 
the  highest  level  of  security.  Class  C2  involves 
discretionary  access  control,  audit  trails,  and  identification 
and  authentication  of  users. 
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